On Saturday 15 January 2005 09:13, Alexandre Oliva aoliva@redhat.com wrote:
In my case, what I used to do was to maintain two or more installs on each box, each of them up-to-date, such that, in case I messed up with the daily-use install (say rawhide), I could go back to a known-good install (say FC3 or even FC2).
The best thing to do would be to occasionally boot the older system to update it.
What would be really nice would be if loading a policy into selinux affected the behavior within that chroot (or rather within the directory tree accessible from the root at the time of policy load),
SE Linux controls all aspects of system security, including global thing such as mounting file systems and directly writing to block devices. If the chroot had a local policy as you suggest then which policy would control writing to the device node for the boot device?
Something like Xen is what you need. The below URL about Xen and hypervisor security may interest you.
http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=...