[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux breaks revisor



On Tue, 2008-01-22 at 13:14 -0500, Jesse Keating wrote:
> On Tue, 22 Jan 2008 13:04:26 -0500
> Simo Sorce <ssorce redhat com> wrote:
> 
> > It seem to me that SELinux can provide for the same (or better)
> > "features" of chroot without actually requiring a chrooted
> > environment. So shouldn't we simply provide targeted policies and not
> > use chroot for known services ?
> 
> That's not the point of many chroot usages.  Frequently chroots are
> used to gain access to content from a different release or arch than
> what you have installed.  EG we use RHEL5 to create chroots of f9 and
> build packages within that chroot using F9 content.  Likewise we do a
> pure i386 package set on x86_64 to accomplish our i386 build.  These
> types of usages cannot be easily replaced with an selinux policy.

I am sorry,
I was thinking only about the security usage of chroots.
I have been using chroots for "mock like" usage myself to release samba
packages for older Debian releases for many years, should have just been
thinking harder :-)

What Yakoov wrote in the other emails makes a lot of sense indeed.

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]