Re: [RFC] cgroups: implement device whitelist lsm (v2)

From: Serge E. Hallyn
Date: Thu Mar 13 2008 - 18:46:32 EST

Next message: Andrew Morton: "Re: [PATCH 3/3] KEYS: Make the keyring quotas controllable through/proc/sys"
Previous message: Heiko Carstens: "Re: [patch 06/10] cpu topology support for s390."
In reply to: James Morris: "Re: [RFC] cgroups: implement device whitelist lsm (v2)"
Next in thread: James Morris: "Re: [RFC] cgroups: implement device whitelist lsm (v2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting James Morris (jmorris@xxxxxxxxx):
> On Thu, 13 Mar 2008, Serge E. Hallyn wrote:
>
> > True, but while this change simplifies the code a bit, the semantics
> > seem more muddled - devcg will be enforcing when CONFIG_CGROUP_DEV=y
> > and:
> >
> > SECURITY=n or
> > rootplug is enabled
> > capabilities is enabled
> > smack is enabled
> > selinux+capabilities is enabled
>
> Well, this is how real systems are going to be deployed.

Sorry, do you mean with capabilities?

> It becomes confusing, IMHO, if you have to change which secondary LSM you
> stack with SELinux to enable a cgroup feature.

So you're saying selinux without capabilities should still be able to
use dev_cgroup? (Just making sure I understand right)

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [PATCH 3/3] KEYS: Make the keyring quotas controllable through/proc/sys"
Previous message: Heiko Carstens: "Re: [patch 06/10] cpu topology support for s390."
In reply to: James Morris: "Re: [RFC] cgroups: implement device whitelist lsm (v2)"
Next in thread: James Morris: "Re: [RFC] cgroups: implement device whitelist lsm (v2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]