On Mon, Aug 8, 2016 at 2:32 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 08/08/2016 01:41 PM, Daniel J Walsh wrote:
>> I have been requested by some container people to make this only
>> readable not writable to prevent certain types of attacks on the
>>
>> kernel.  No idea if this is a good idea or not.
>
> Would require a kernel change.  Support for per-file labeling of
> /proc/pid came up previously in SE for Android, so the SE for Android
> todo list has an item here:
>
> Extend SELinux /proc/pid labeling support to support derived types on
> specific /proc/pid files based on both the associated task context and
> the file name, e.g. name-based type transitions. This would allow
> applying different restrictions to different /proc/pid files of the same
> process via SELinux.
>
> Probably should go on the SELinux kernel todo list.

Added.

FWIW, at some point this year when I've got a few hours to burn I'm
probably going to setup a mirror of the SELinux kernel repo in the
GitHub and start tracking these things as GitHub issues instead of the
wiki.  I've been doing this for audit and it has been working
reasonably well and provides for more history/discussion than the wiki
approach we are currently using.  Unfortunately it doesn't solve the
problem of being short a few kernel devs :)

-- 
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to