[redhat-lspp] Re: newrole, UID change, etc
Chad Hanson
chanson at TrustedCS.com
Thu Apr 20 14:58:48 UTC 2006
I agree with this idea as well....
> If that is your concern, then maybe you should follow the suggestion I
> gave Serge Hallyn on linux-security-module earlier this week for
> enabling SELinux to selectively override capabilities. Just introduce a
> new cap_override security class that mirrors capability, and change
> selinux_capable to check it first. If granted by that security class,
> then skip the call to the secondary module and authoritatively grant the
> capability based on SELinux domain alone. If denied by that security
> class, recheck the normal capability class, and if that is allowed, call
> the secondary module as usual to require both to pass. Then you can
> give out Linux capabilities selectively to non-uid 0 processes, while
> phasing it in gradually without disturbing existing policy and without
> immediately exposing everything to risk.
>
More information about the redhat-lspp
mailing list