[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux breaks revisor



On Thu, Jan 24, 2008 at 05:48:20PM +0100, Till Maas wrote:
> > The main problem is detecting and handling accesses that cross the
> > policy boundary (non-chroot'd process attempts to access file within the
> > directory, chroot'd process manages to break out of the chroot and
> > attempts to access file outside of chroot).
> 
> When there were different "namespaces" for the inner and outer selinux, then 
> the outer selinux could handle the access trough the chroot bondary using the 
> normal host namespace and the inner selinux would only handle the access 
> within the chroot, using its own namespace.

What do you do if the outside namespace wants to label a file 
differently than the inner namespace?  Create separate namespaces for 
the on-disk xattrs?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]