Re: [PATCH] capabilites, take 2

From: Andy Lutomirski
Date: Fri May 14 2004 - 11:19:42 EST

Next message: Will Dyson: "Re: [PATCH] befs (1/5): LBD support"
Previous message: Sergey S. Kostyliov: "Re: [PATCH] befs (1/5): LBD support"
In reply to: Stephen Smalley: "Re: [PATCH] capabilites, take 2"
Next in thread: Stephen Smalley: "Re: [PATCH] capabilites, take 2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephen Smalley wrote:

On Fri, 2004-05-14 at 11:57, Andy Lutomirski wrote:

Thanks -- turning brain back on, SELinux is obviously better than any
fine-grained capability scheme I can imagine.

So unless anyone convinces me you're wrong, I'll stick with just
fixing up capabilities to work without making them finer-grained.

Great, thanks. Fixing capabilities to work is definitely useful and
desirable. Significantly expanding them in any manner is a poor use of
limited resources, IMHO; I'd much rather see people work on applying
SELinux to the problem and solving it more effectively for the future.

Does this mean I should trash my 'maximum' mask?

(I like 'cap -c = sftp-server' so it can't try to run setuid/fP apps.)
OTOH, since SELinux accomplishes this better, it may not be worth the
effort.

--Andy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Will Dyson: "Re: [PATCH] befs (1/5): LBD support"
Previous message: Sergey S. Kostyliov: "Re: [PATCH] befs (1/5): LBD support"
In reply to: Stephen Smalley: "Re: [PATCH] capabilites, take 2"
Next in thread: Stephen Smalley: "Re: [PATCH] capabilites, take 2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]