On Feb 19, 2005, Russell Coker russell@coker.com.au wrote:
SE Linux controls all aspects of system security, including global thing such as mounting file systems and directly writing to block devices. If the chroot had a local policy as you suggest then which policy would control writing to the device node for the boot device?
Err... No differently from the way the Xen solution you recommended would? Except, perhaps, for...
http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=...
which would require presumably yet another layer of MAC configuration files. Which means yet another level of setting up and overlapping settings, not really different from one possible implementation for chroot policies.