From: antoine <antoine@nagafix.co.uk>
To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Cc: SE-Linux <selinux@tycho.nsa.gov>,
debian-devel@lists.debian.org,
Blaisorblade <blaisorblade@yahoo.it>,
Jeff Dike <jdike@addtoit.com>
Subject: Re: http://www.golden-gryphon.com/software/security/selinux.xhtml
Date: Thu, 09 Jun 2005 23:42:00 +0100 [thread overview]
Message-ID: <1118356920.10190.175.camel@localhost> (raw)
In-Reply-To: <20050609192026.GM8525@lkcl.net>
On Thu, 2005-06-09 at 20:20 +0100, Luke Kenneth Casson Leighton wrote:
> manoj, hi,
>
> i am delighted to see the above web page re: selinux.
Err?
>
> i notice you mention that there is an effort underway to make
> a uml-selinux.
>
> perhaps i should mention that it is utterly trivial to set up
> a xen system with a guest domain running pretty much any kind
> of kernel - including selinux enabled ones.
We have been running selinux guest kernels in uml for years, that was
not the issue here, or are you just doing xen advocacy?
The question was about ensuring proper containment of the UML kernel
process *from outside*, with regards to the way uml handles tmpfs (which
it uses as a ram backing store with execute attributes).
> people who are not happy about using or waiting for uml-selinux
> might want to consider either temporarily or permanently
> utilising xen instead.
Running uml-selinux guests is not a problem, and xen is not necessarily
the right approach for everything: the system virtualisation does not
happen at the same os level. Can you control your xen instance from
within a selinux controlled system? (note: I am not talking about
running selinux from within a xen instance)
> l.
>
> p.s. xen's a lot damn quicker, too. quick enough so that you can
> seriously consider just doing apt-get update, blah blah.
uml on x86 with the skas3 patch is very fast.
We've been running debian guests (inc apt-get) just fine for years.
Antoine
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-09 22:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-09 19:20 http://www.golden-gryphon.com/software/security/selinux.xhtml Luke Kenneth Casson Leighton
2005-06-09 22:42 ` antoine [this message]
2005-06-09 23:20 ` http://www.golden-gryphon.com/software/security/selinux.xhtml Luke Kenneth Casson Leighton
2005-06-10 1:21 ` http://www.golden-gryphon.com/software/security/selinux.xhtml antoine
2005-06-10 4:33 ` http://www.golden-gryphon.com/software/security/selinux.xhtml Manoj Srivastava
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1118356920.10190.175.camel@localhost \
--to=antoine@nagafix.co.uk \
--cc=blaisorblade@yahoo.it \
--cc=debian-devel@lists.debian.org \
--cc=jdike@addtoit.com \
--cc=lkcl@lkcl.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.