Re: [PATCH 5/5] Remove unnecesary capability hooks in rootplug.

From: Chris Wright
Date: Thu Aug 25 2005 - 12:06:48 EST


* Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:
> On Thu, 2005-08-25 at 09:21 -0700, Chris Wright wrote:
> > * Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:
> > > On Thu, 2005-08-25 at 09:38 -0500, serue@xxxxxxxxxx wrote:
> > > > Ok, with the attached patch SELinux seems to work correctly. You'll
> > > > probably want to make it a little prettier :) Note I have NOT ran the
> > > > ltp tests for correctness. I'll do some performance runs, though
> > > > unfortunately can't do so on ppc right now.
> > >
> > > Note that the selinux tests there _only_ test the SELinux checking. So
> > > if these changes interfere with proper stacking of SELinux with
> > > capabilities, that won't show up there.
> >
> > Sorry, I'm not parsing that?
>
> e.g. if secondary_ops->capable is null, the SELinux tests aren't going
> to show that, because they will still see that the SELinux permission
> checks are working correctly. They only test failure/success for the
> SELinux permission checks, not for the capability checks, so if you
> unhook capabilities, they won't notice.

Yes, I see. I thought the tests you were referring to were
"if (secondary_ops->capable)" not LTP tests. Capability is still a
module that can be loaded (or built-in). So the only issue is it's
security_ops is now NULL where it was a trivial return 0 function.
Aside from the oversight Serge fixed, I don't think there's any issue.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/