On 08/08/2016 01:41 PM, Daniel J Walsh wrote:
> I have been requested by some container people to make this only
> readable not writable to prevent certain types of attacks on the
> 
> kernel.  No idea if this is a good idea or not.

Would require a kernel change.  Support for per-file labeling of
/proc/pid came up previously in SE for Android, so the SE for Android
todo list has an item here:

Extend SELinux /proc/pid labeling support to support derived types on
specific /proc/pid files based on both the associated task context and
the file name, e.g. name-based type transitions. This would allow
applying different restrictions to different /proc/pid files of the same
process via SELinux.

Probably should go on the SELinux kernel todo list.

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to