Lower Process Capabilities
Adam Jackson
ajax at redhat.com
Tue Jul 28 13:59:11 UTC 2009
On Tue, 2009-07-28 at 01:12 +0200, yersinia wrote:
> On Mon, Jul 27, 2009 at 5:29 PM, Adam Jackson<ajax at redhat.com> wrote:
> > Caps are also wrong in that they're effectively a partitioning of root's
> > privileges above those of a user. You would like the ability to do more
> > than that. For example, you'd like to be able to remove your ability to
> > clone() or exec(). SELinux can do this, kinda.
>
> Put an example, thanks.
Trim message bodies when quoting, thanks.
You can create an selinux context that is not allowed to exec, or only
allowed to exec certain things. Or not allowed to connect to TCP
sockets. Or pretty much anything else a normal user would otherwise be
allowed to do.
- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090728/a9294a85/attachment.sig>
More information about the fedora-devel-list
mailing list