selinux diversion [was Re: Usermode request: add patch enabling group membership to control auth user]
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 16 16:19:49 UTC 2004
Matthew Miller wrote:
>[changing the subject because I didn't really mean to get derailed on the
>SELinux thing.]
>
>On Fri, Apr 16, 2004 at 10:20:48AM -0400, Stephen Smalley wrote:
>
>
>>- Bounded privilege escalation is a good thing.
>>
>>
>
>Definitely.
>
>
>
>>- You can configure the policy to do as you wish, and I think that the
>>policy tunables already exist to allow it (and are even enabled by
>>default in the RH policy).
>>
>>
>
>Not sure what "it" is referring to in this sentence.
>
>
>
>>- The existing permissions model is fundamentally inadequate by itself,
>>and it makes no sense to try to turn DAC into MAC. See
>>http://www.nsa.gov/selinux/papers/inevit-abs.cfm.
>>
>>
>
>Yep. I'm just increasingly unsure about the implementation. If a SELinux
>configuration can allow a user to access things that would normally be
>denied by traditional Unix security, that's *crazy*.
>
>
>
No DAC is still being enforced.
More information about the fedora-test-list
mailing list