[redhat-lspp] Re: newrole, UID change, etc
Russell Coker
rcoker at redhat.com
Fri Apr 21 05:01:06 UTC 2006
On Thu, 2006-04-20 at 10:58 -0400, Chad Hanson wrote:
> I agree with this idea as well....
Sounds like a good idea to me too.
> > If that is your concern, then maybe you should follow the suggestion I
> > gave Serge Hallyn on linux-security-module earlier this week for
> > enabling SELinux to selectively override capabilities. Just introduce a
> > new cap_override security class that mirrors capability, and change
> > selinux_capable to check it first. If granted by that security class,
> > then skip the call to the secondary module and authoritatively grant the
> > capability based on SELinux domain alone. If denied by that security
> > class, recheck the normal capability class, and if that is allowed, call
> > the secondary module as usual to require both to pass. Then you can
> > give out Linux capabilities selectively to non-uid 0 processes, while
> > phasing it in gradually without disturbing existing policy and without
> > immediately exposing everything to risk.
> >
More information about the redhat-lspp
mailing list