On Wed, 2005-05-25 at 12:36 -0400, Valdis.Kletnieks@private wrote: > Real-life example: There are many sites who do *not* necessarily need a > full-blown SELinux, but *do* want to express a policy that basically boils down > to "A chroot'ed process is not allowed to XYZ". > > It appears the only way to do this inside SELinux is to define a special > chrooted_exec_t and force an auto_trans on exec. And in general, it's very > hard to write a predicate that says "A process in condition/state X" - one has > to enumerate all the possible binaries and create a separate > "might_do_x_exec_t" (particularly interesting if you have binaries that might > do X if run one way, but not another (think anything that behaves differently > if launched from Cron) and start writing policy. And if a given process might > end up in X *or* Y *or* Z, things start getting very ugly... The difficulties in creating an effective jail have nothing to do with SELinux per se, and trying to do one without the full range of control offered by SELinux is likely to expose you to holes. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 09:47:17 PDT