On 08/08/2016 01:41 PM, Daniel J Walsh wrote: > I have been requested by some container people to make this only > readable not writable to prevent certain types of attacks on the > > kernel. No idea if this is a good idea or not.
Would require a kernel change. Support for per-file labeling of /proc/pid came up previously in SE for Android, so the SE for Android todo list has an item here: Extend SELinux /proc/pid labeling support to support derived types on specific /proc/pid files based on both the associated task context and the file name, e.g. name-based type transitions. This would allow applying different restrictions to different /proc/pid files of the same process via SELinux. Probably should go on the SELinux kernel todo list. _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.