Lower Process Capabilities
Steve Grubb
sgrubb at redhat.com
Wed Jul 29 14:06:48 UTC 2009
On Wednesday 29 July 2009 09:49:29 am Serge E. Hallyn wrote:
> > There was a patch floated on selinux list circa June 2007 that would
> > have allowed SELinux to directly grant capabilities. But it met a
> > certain amount of resistance from people concerned about the
> > implications of changing the historical position that SELinux only
> > further restricts access and about how to handle states like permissive
> > mode, selinux-disabled, etc seamlessly.
> >
> > http://marc.info/?l=selinux&m=118159187318524&w=2
> > http://marc.info/?l=selinux&m=118192327422630&w=2
> > http://marc.info/?l=selinux&m=118191791828777&w=2
>
> I suppose the main problem with relying on this for granting privilege
> to system processes would be that if the selinux policy wasn't loaded
> for some reason, such processes (sshd, login, ...) would fail.
There is also the argument that what we've been teaching people for years is
that SE Linux strips away privileges and doesn't grant them. Changing the
model would be somewhat confusing.
-Steve
More information about the fedora-devel-list
mailing list