Usermode request: add patch enabling group membership to control auth user
Stephen Smalley
sds at epoch.ncsc.mil
Fri Apr 16 14:20:48 UTC 2004
On Fri, 2004-04-16 at 09:58, Matthew Miller wrote:
> I'm all for enhanced security, but I'm getting to be really skeptical about
> SELinux. Layering an invisible shrinkwrap over everything and ignoring the
> old permissions/authenticiation model completely is not the right solution
> for Linux.
- Bounded privilege escalation is a good thing.
- You can configure the policy to do as you wish, and I think that the
policy tunables already exist to allow it (and are even enabled by
default in the RH policy).
- The existing permissions model is fundamentally inadequate by itself,
and it makes no sense to try to turn DAC into MAC. See
http://www.nsa.gov/selinux/papers/inevit-abs.cfm.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-test-list
mailing list