[redhat-lspp] New pam src rpm with namespace
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 17 13:43:10 UTC 2006
On Fri, 2006-02-17 at 07:29 -0600, Serge E. Hallyn wrote:
> Sounds like a good idea to me. The other thing of course - which could
> be done in addition to this - would be to have unshare be checked by an
> LSM hook, security_task_unshare(), which in capability.c happens to
> check CAP_SYS_ADMIN, but in selinux checks for
>
> self:process unshare
>
> and doesn't propagate the check to capability.
>
> But if the same helper would unshare and mount, then I guess it may not
> be worthwhile.
We have to be careful about dropping out capability checks in the
SELinux case because of people running targeted policy (with unconfined
users).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list