[redhat-lspp] New pam src rpm with namespace
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 17 18:25:17 UTC 2006
On Fri, 2006-02-17 at 10:04 -0600, Klaus Weidner wrote:
> Hmmm, would it be feasible to subdivide CAP_SYS_ADMIN into individual
> extended capability bits, and have a backwards compatibility mode where
> these are ORed into a single bit? In other words, have new kernels check
> for both CAP_SYS_ADMIN and CAP_SYS_ADMIN_NAMESPACE (stored separately)?
> But I guess the main issue is avoiding the extra baggage for each process
> structure, and SELinux policy (or alternatively AppArmor or other LSM
> hooks) is probably the better way to handle fine grained restrictions.
Yes, it is preferable to add LSM hooks and introduce finer-grained
checking in the security modules, while retaining the legacy capability
check as well. But the problem here is that what we actually want to do
in this case is to allow namespace manipulation w/o allowing other
operations controlled by CAP_SYS_ADMIN. Which would mean that we would
have to check all locations where CAP_SYS_ADMIN is checked (> 300 sites)
to see if they are covered already by an existing LSM hook other than
capable, and if not, add hooks to ensure coverage. Not just modifying
the namespace operations.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list