[redhat-lspp] New pam src rpm with namespace
Klaus Weidner
klaus at atsec.com
Fri Feb 17 16:04:21 UTC 2006
On Fri, Feb 17, 2006 at 08:43:10AM -0500, Stephen Smalley wrote:
> On Fri, 2006-02-17 at 07:29 -0600, Serge E. Hallyn wrote:
> > be done in addition to this - would be to have unshare be checked by an
> > LSM hook, security_task_unshare(), which in capability.c happens to
> > check CAP_SYS_ADMIN, but in selinux checks for
> >
> > self:process unshare
> >
> > and doesn't propagate the check to capability.
>
> We have to be careful about dropping out capability checks in the
> SELinux case because of people running targeted policy (with unconfined
> users).
It's also a slippery slope from the evaluation point of view, since it's
not compatible with the view that SELinux only adds additional
restrictions. I think I'd prefer the approach of giving CAP_SYS_ADMIN to
the process and then adding further checks in the policy.
Hmmm, would it be feasible to subdivide CAP_SYS_ADMIN into individual
extended capability bits, and have a backwards compatibility mode where
these are ORed into a single bit? In other words, have new kernels check
for both CAP_SYS_ADMIN and CAP_SYS_ADMIN_NAMESPACE (stored separately)?
But I guess the main issue is avoiding the extra baggage for each process
structure, and SELinux policy (or alternatively AppArmor or other LSM
hooks) is probably the better way to handle fine grained restrictions.
-Klaus
More information about the redhat-lspp
mailing list