Re: [RFC] cgroups: implement device whitelist lsm (v2)

From: James Morris
Date: Thu Mar 13 2008 - 18:28:25 EST


On Thu, 13 Mar 2008, Serge E. Hallyn wrote:

> True, but while this change simplifies the code a bit, the semantics
> seem more muddled - devcg will be enforcing when CONFIG_CGROUP_DEV=y
> and:
>
> SECURITY=n or
> rootplug is enabled
> capabilities is enabled
> smack is enabled
> selinux+capabilities is enabled

Well, this is how real systems are going to be deployed.

It becomes confusing, IMHO, if you have to change which secondary LSM you
stack with SELinux to enable a cgroup feature.

--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/