[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: http://www.golden-gryphon.com/software/security/selinux.xhtml

On Thu, 2005-06-09 at 20:20 +0100, Luke Kenneth Casson Leighton wrote:
> manoj, hi,
> i am delighted to see the above web page re: selinux.
> i notice you mention that there is an effort underway to make
> a uml-selinux.
> perhaps i should mention that it is utterly trivial to set up
> a xen system with a guest domain running pretty much any kind
> of kernel - including selinux enabled ones.
We have been running selinux guest kernels in uml for years, that was
not the issue here, or are you just doing xen advocacy?
The question was about ensuring proper containment of the UML kernel
process *from outside*, with regards to the way uml handles tmpfs (which
it uses as a ram backing store with execute attributes).

> people who are not happy about using or waiting for uml-selinux
> might want to consider either temporarily or permanently
> utilising xen instead.
Running uml-selinux guests is not a problem, and xen is not necessarily
the right approach for everything: the system virtualisation does not
happen at the same os level. Can you control your xen instance from
within a selinux controlled system? (note: I am not talking about
running selinux from within a xen instance)

> l.
> p.s. xen's a lot damn quicker, too.  quick enough so that you can
> seriously consider just doing apt-get update, blah blah.
uml on x86 with the skas3 patch is very fast.
We've been running debian guests (inc apt-get) just fine for years.


Reply to: