• 1

Re: Ease of control

Lets take these one at a time. SELinux does not really give us the flexibility to change the policy on the fly like you suggest. Allowing you to open up a few selected ports would involve writing policy and assigning ports to it, compiling it up and loading it into the kernel. Not something I am going to allow the setuid app to do. You should bring this up for dicussion on the nsa selinux list because I agree that it is a good suggestion.

I think having a -S share option would be a good idea. The problem is in the execution. Do I bind mount the file into the new userspace or do I copy it in and copy it back out when I am complete. I would think bind mounts would be the best idea, although I would need to change the context on the file/directory that is being shared while it is in the sandbox.

  • 1

Log in