On Mon, 17 Apr 2006 22:26:24 BST, Alan Cox said: (Two replies to this paragraph, addressing 2 separate issues....) > You can implement a BSD securelevel model in SELinux as far as I can see > from looking at it, and do it better than the code today, so its not > really a feature drop anyway just a migration away from some fossils If we heave the LSM stuff overboard, there's one thing that *will* need addressing - what to do with kernel support of Posix-y capabilities. Currently some of the heavy lifting is done by security/commoncap.c. Frankly, that's *another* thing that we need to either *fix* so it works right, or rip out of the kernel entirely. As far as I know, there's no in-tree way to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.
Attachment:
pgpIhejJNSFMQ.pgp
Description: PGP signature
- Follow-Ups:
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: Pavel Machek <[email protected]>
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: Crispin Cowan <[email protected]>
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: "Serge E. Hallyn" <[email protected]>
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- References:
- [RFC] packet/socket owner match (fireflier) using skfilter
- From: Török Edwin <[email protected]>
- [RFC][PATCH 2/7] implementation of LSM hooks
- From: Török Edwin <[email protected]>
- Re: [RFC][PATCH 2/7] implementation of LSM hooks
- From: Stephen Smalley <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Török Edwin <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Stephen Smalley <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Christoph Hellwig <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Stephen Smalley <[email protected]>
- Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
- From: Christoph Hellwig <[email protected]>
- Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: James Morris <[email protected]>
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: Greg KH <[email protected]>
- Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- From: Alan Cox <[email protected]>
- [RFC] packet/socket owner match (fireflier) using skfilter
- Prev by Date: Re: Bonding driver appears to call a sleeping function from an invalid context in 2.6.17-rc1
- Next by Date: Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- Previous by thread: Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- Next by thread: Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
- Index(es):
 |