Re: New stacker performance results

From: Valdis.Kletnieks@private
Date: Wed May 25 2005 - 09:36:55 PDT

On Wed, 25 May 2005 09:23:45 PDT, Casey Schaufler said:

> here is that nowhere is there a complete and
> accurate description of how, *in general* one
> would go about creating an arbitrary and
> complete policy using SELinux.

Real-life example:  There are many sites who do *not* necessarily need a
full-blown SELinux, but *do* want to express a policy that basically boils down
to "A chroot'ed process is not allowed to XYZ".

It appears the only way to do this inside SELinux is to define a special
chrooted_exec_t and force an auto_trans on exec.  And in general, it's very
hard to write a predicate that says "A process in condition/state X" - one has
to enumerate all the possible binaries and create a separate
"might_do_x_exec_t" (particularly interesting if you have binaries that might
do X if run one way, but not another (think anything that behaves differently
if launched from Cron) and start writing policy.  And if a given process might
end up in X *or* Y *or* Z, things start getting very ugly...

This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 09:37:23 PDT