On Thu January 24 2008, Daniel J Walsh wrote: > machine. For example if you are building a Fedora 7 livecd on a Fedora > 8 host machine, when the new selinux-policy package gets installed the > Fedora 7 policy will load and replace the Fedora 8 policy. This will > invalidate any contexts that existed in Fedora 8 and not in Fedora 7 > causing them to become unlabeled_t. If this happens to a process, the > process usually goes wild. We (SELinux engineering) is working on some > solutions, but don't have a good one now. > > Virtual machines? Getting the chroot to run with a different kernel. > Faking out /selinux in chroot to do nothing on policy load? > Trying to stop Transitions? Imho it would be nice if it was possible to mark (label) a directory from the outside to be the root of the chroot. Then everything within the chroot directory should have a label for the outside selinux and a label for the inside selinux. The selinus from the outside should allow everything within the chroot to to whatever it wants within the chroot (this could be configure within the policy), but should restrict access to everything outside the chroot. The selinux within the chroot then should act like there is only the inside policy and enforce it like it was the only one. Regards, Till
Description: This is a digitally signed message part.