From Fedora Project Wiki
Notes on Dan Walsh's SELinux talk. This is incomplete, I was making notes mainly on what interested me and was newer information to share. (quaid)
- Kernel unstable state with chroots == having different policy in chroot than in kernel memory
- The /selinux/ filesystem is faked out in the chroot, with the proper policy
- This lets the packages install correctly
- New kernel change requested, to allow a file context to be written by the kernel that does not exist in the active running policy
- Add the end, restorecon is run and it is allowed to put down labels the running kernel does not understand
- For mock, trick mock in to thinking SELinux is not enforcing.
- Guest and Xguest:
- no exec in ~/
- add tmp/?
- no setuid applications
- write specific policy to allow a transition for specific apps, e.g. NetworkManager etc.
- lock all ports, only allow Firefox or other specific network apps
- list of ports here is also limited
- no exec in ~/
Open Issues
- Need .26 kernel in F9 to get in the changes
Goals
- Do not allow RPM to make changes to the running kernel