Re: PATCH: peersid capability support

On Thursday 29 November 2007 4:24:35 pm Stephen Smalley wrote:
> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> > This is a reworking of the peersid capability patch Joshua sent out
> > a few weeks ago. This version requires added explicit declaration of
> > capabilities in the policy.
> >
> > I've used the same strings that Paul's kernel diff used (there is
> > currently just a single capability).
> >
> > Note that capability declarations are not limited to base.conf /
> > policy.conf as we would like to eventually get rid of the base vs. module
> > distinction.
>
> Taking the union of the capabilities at link time seems worrisome to me.
> I'd be more inclined to require equivalence or take the intersection.

I agree with Stephen, to allow a single module to set a capability bit without consideration for the rest of the loaded/installed modules could introduce some very weird behavior ... that is unless you policy folks have some freaky ability to peer* into the future ;)

*intentional pun -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Christopher J. PeBenito: "Re: refpolicy HEAD, Debian, patch for udev.te"
• Previous message: Václav Ovsík: "Re: refpolicy HEAD, Debian, patch for udev.te"
• In reply to: Stephen Smalley: "Re: PATCH: peersid capability support"
• Next in thread: Joshua Brindle: "Re: PATCH: peersid capability support"
• Reply: Joshua Brindle: "Re: PATCH: peersid capability support"
• Reply: Christopher J. PeBenito: "Re: PATCH: peersid capability support"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]