[redhat-lspp] New pam src rpm with namespace
Serge E. Hallyn
serue at us.ibm.com
Fri Feb 17 14:56:29 UTC 2006
Quoting Stephen Smalley (sds at tycho.nsa.gov):
> On Fri, 2006-02-17 at 07:29 -0600, Serge E. Hallyn wrote:
> > Sounds like a good idea to me. The other thing of course - which could
> > be done in addition to this - would be to have unshare be checked by an
> > LSM hook, security_task_unshare(), which in capability.c happens to
> > check CAP_SYS_ADMIN, but in selinux checks for
> >
> > self:process unshare
> >
> > and doesn't propagate the check to capability.
> >
> > But if the same helper would unshare and mount, then I guess it may not
> > be worthwhile.
>
> We have to be careful about dropping out capability checks in the
> SELinux case because of people running targeted policy (with unconfined
> users).
Good point. But Russell's separate mount helper should suffice, right?
-serge
More information about the redhat-lspp
mailing list