Re: [RFC v2][PATCH] selinux: enable authoritative granting of capabilities

• Stephen Smalley <sds@tycho.nsa.gov> wrote:

> Second RFC on this patch, collects up discussion and changes so far. If
> no objections, then this will be re-posted as just a [PATCH] on selinux
> and lkml.
>
> ---
>
> Extend SELinux to allow capabilities to be granted authoritatively
> based solely on SELinux policy, enabling users of SELinux to
> selectively reduce or fully eliminate the need for a "root" user and
> setuid executables. This provides an alternative approach to file
> capabilities without conflicting with it.

Why don't you just work with the people who are getting the file capabilities working and integrate that into SELinux? Why do you have to take this tangent and confuse everything?

There. An objection. I do not believe you've demonstrated that using the proposed file capabilities can't get you what you want, and that we don't need two implementations of the same thing.

Casey Schaufler
casey@schaufler-ca.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: [RFC v2][PATCH] selinux: enable authoritative granting of capabilities"
• Previous message: Stephen Smalley: "[RFC v2][PATCH] refpolicy: add memprotect and cap_override definitions and interfaces"
• In reply to: Stephen Smalley: "[RFC v2][PATCH] selinux: enable authoritative granting of capabilities"
• Next in thread: Stephen Smalley: "Re: [RFC v2][PATCH] selinux: enable authoritative granting of capabilities"
• Reply: Stephen Smalley: "Re: [RFC v2][PATCH] selinux: enable authoritative granting of capabilities"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]