|Main Archive Page > Month Archives > selinux archives|
-----BEGIN PGP SIGNED MESSAGE-----
On 03/16/2012 10:30 AM, Mikhail Efremov wrote:
> On Fri, 16 Mar 2012 09:38:10 -0400 Daniel J Walsh wrote:
>> On 03/16/2012 08:50 AM, Mikhail Efremov wrote:
>>> The CAP_* constants should not be or'ed, it is the bit numbers.
>>> And grant the access to the audit system too.
>> I talked to the developer of libcap-ng (Steve Grubb) and he
>> stated that you are correct but "you should use the 'v' version
>> of update which allows you to update in just 1 library call. The
>> capabilities should be separated with a comma and to mark the end
>> you put a -1:"
>> capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
>> CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN, CAP_DAC_OVERRIDE,
>> CAP_SETPCAP, CAP_AUDIT_WRITE, - -1);
> Thanks, I didn't notice this function. Here are updated patches.
The other problem I have with newrole is that we probably should not
drop the BOUNDING Set, since after you newrole you should be still
allowed to execute apps that use capabilities.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to firstname.lastname@example.org with the words "unsubscribe selinux" without quotes as the message.