> If you're trying to do it with SELinux policy, that would require > opening the > locale file before the chroot, then changing the selinux context to > something > that can't open locale_t and then doing the chroot. Unfortunately, > that's fast > approaching "cure is worse than the disease", because it means the > initial > context has to have the ability to change its context (in the > standard selinux > policy, that's restricted to only 2 or 3 binaries like 'newrole'). Actually, this is has no relation with binaries. Transitions are defined per domain in SELinux policy. For additional information, refer to: http://danwalsh.livejournal.com/23944.html
> > We're lucky nobody has looked into what should happen on an > MLS-enabled system :) I don't think sensitivity levels would make any difference in this case in the current SELinux MLS policy. -- Ramon de C Valle / Red Hat Security Response Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
