selinux diversion [was Re: Usermode request: add patch enabling group membership to control auth user]
Matthew Miller
mattdm at mattdm.org
Fri Apr 16 15:24:10 UTC 2004
[changing the subject because I didn't really mean to get derailed on the
SELinux thing.]
On Fri, Apr 16, 2004 at 10:20:48AM -0400, Stephen Smalley wrote:
> - Bounded privilege escalation is a good thing.
Definitely.
> - You can configure the policy to do as you wish, and I think that the
> policy tunables already exist to allow it (and are even enabled by
> default in the RH policy).
Not sure what "it" is referring to in this sentence.
> - The existing permissions model is fundamentally inadequate by itself,
> and it makes no sense to try to turn DAC into MAC. See
> http://www.nsa.gov/selinux/papers/inevit-abs.cfm.
Yep. I'm just increasingly unsure about the implementation. If a SELinux
configuration can allow a user to access things that would normally be
denied by traditional Unix security, that's *crazy*.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-test-list
mailing list