On Mon, Aug 8, 2016 at 2:32 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 08/08/2016 01:41 PM, Daniel J Walsh wrote: >> I have been requested by some container people to make this only >> readable not writable to prevent certain types of attacks on the >> >> kernel. No idea if this is a good idea or not. > > Would require a kernel change. Support for per-file labeling of > /proc/pid came up previously in SE for Android, so the SE for Android > todo list has an item here: > > Extend SELinux /proc/pid labeling support to support derived types on > specific /proc/pid files based on both the associated task context and > the file name, e.g. name-based type transitions. This would allow > applying different restrictions to different /proc/pid files of the same > process via SELinux. > > Probably should go on the SELinux kernel todo list.
Added. FWIW, at some point this year when I've got a few hours to burn I'm probably going to setup a mirror of the SELinux kernel repo in the GitHub and start tracking these things as GitHub issues instead of the wiki. I've been doing this for audit and it has been working reasonably well and provides for more history/discussion than the wiki approach we are currently using. Unfortunately it doesn't solve the problem of being short a few kernel devs :) -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.