[redhat-lspp] Re: newrole, UID change, etc

[Steve Grubb]

On Monday 24 April 2006 16:08, Stephen Smalley wrote:
> If we want to permit capability granting w/o uid 0, then that is a
> kernel change, not a newrole change.

So far, in all the talks we've ever had about SE Linux, its always been 
advertised as limiting existing permission. I would be hesitant to allow SE 
Linux to start granting permissions. I think its not necessary, potentially a 
security risk if not done carefully, and would confuse people that have 
managed to learn SE Linux about why it can now escalate permission instead of 
restrict it.

-Steve