On Thu, 22 Jun 2006, Serge E. Hallyn wrote:
> sorry if I'm being dense - what is actually being protected against
> here? The only thing I can think of is one process causing performance
> degradation to another by moving it's memory further from it's cpu on a
> NUMA machine.
This is a privileged operation, which currently relies only on uid (i.e.
traditional Unix DAC), and capability checking.
SELinux introduces Mandatory Access Control (MAC) based upon all
security-relevant attributes of tasks and objects, not just uid/capability
checks. Theoretically, all processes could run with euid==0 under SELinux
(in fact, Russell Coker's 'play box' does something similar by giving out
the root password to everyone, although SELinux is designed to complement
DAC, not replace it).
Any privileged operations with DAC controls also need corresponding MAC
controls, which is what this patch implements.
- James
--
James Morris
<[email protected]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
