Re: Fedora 11: moving to posix file capabilities?

On Wed, 2008-10-29 at 16:52 -0400, Colin Walters wrote:
> On Wed, Oct 29, 2008 at 4:39 PM, Steve Grubb <sgrubb redhat com> wrote:

> > No this is about PolicyKit being another MAC system that needs configuring.
> Of course it would be ideal if there were One True MAC system, but
> AFAIK the story on SELinux is still that the system must be secure
> without it, and other vendors that we care about from the desktop
> perspective (personally I just care about Ubuntu and OpenSolaris)
> haven't yet finished integrating it.

Of course just so it's been said...setting capabilities on binaries has
little to do (or should have *very* little to do) with SELinux. Ever :)

Personally I think switching to fully POSIX file caps is a wonderful
idea for sometime around 2010 or a bit later, but it's not practical for
regular system utilities that might be sitting on older filesystems to
do this today. Root NFS will break, many custom spins, just a lot of
stuff is going to be very unhappy if we start doing this.


