Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)
From: Valdis . Kletnieks
Date: Mon Apr 17 2006 - 22:33:38 EST
On Mon, 17 Apr 2006 22:26:24 BST, Alan Cox said:
(Two replies to this paragraph, addressing 2 separate issues....)
> You can implement a BSD securelevel model in SELinux as far as I can see
> from looking at it, and do it better than the code today, so its not
> really a feature drop anyway just a migration away from some fossils
If we heave the LSM stuff overboard, there's one thing that *will* need
addressing - what to do with kernel support of Posix-y capabilities. Currently
some of the heavy lifting is done by security/commoncap.c.
Frankly, that's *another* thing that we need to either *fix* so it works right,
or rip out of the kernel entirely. As far as I know, there's no in-tree way
to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.
Attachment:
pgp00000.pgp
Description: PGP signature