Why is libcap-ng not postponed until #1103622 is fixed? (which probably won't be tomorrow)
Why is libcap-ng not postponed until #1103622 is fixed? (which probably won't be tomorrow)
Over a month later sandboxes are still broken.
Will this be fixed sometime this year or is the SELinux sandbox feature dead for real?
On 08/02/2014 05:57 AM, Robert Horovitz wrote:
Why is libcap-ng not postponed until #1103622 is fixed? (which probably won't be tomorrow)
Over a month later sandboxes are still broken.
Will this be fixed sometime this year or is the SELinux sandbox feature dead for real?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a change to the kernel that is making its way upstream that should allow us to fix the feature.
Basically right now, a file to libaudit forces us to turn off the ability for the sandboxed apps to run setuid programs, this also causes the kernel to prevent SELinux from execute/transition. We have a patch to the kernel that will allow processes to execute/transition to a different domain even if setuid is blocked, IFF the app is allowed to transition internally.
Once this is enabled we can change the policy to allow transitioning to work again.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Robert Horovitz