On Wed, 2005-05-25 at 12:37 -0400, Stephen Smalley wrote: > On Wed, 2005-05-25 at 12:36 -0400, Valdis.Kletnieks@private wrote: > > Real-life example: There are many sites who do *not* necessarily need a > > full-blown SELinux, but *do* want to express a policy that basically boils down > > to "A chroot'ed process is not allowed to XYZ". > > > > It appears the only way to do this inside SELinux is to define a special > > chrooted_exec_t and force an auto_trans on exec. And in general, it's very > > hard to write a predicate that says "A process in condition/state X" - one has > > to enumerate all the possible binaries and create a separate > > "might_do_x_exec_t" (particularly interesting if you have binaries that might > > do X if run one way, but not another (think anything that behaves differently > > if launched from Cron) and start writing policy. And if a given process might > > end up in X *or* Y *or* Z, things start getting very ugly... > > The difficulties in creating an effective jail have nothing to do with > SELinux per se, and trying to do one without the full range of control > offered by SELinux is likely to expose you to holes. BTW, SELinux does support dynamic context transitions these days via setcon(3). Not that that I'd recommend using it over exec-based transitions, mind you, but it does exist. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 09:57:19 PDT