Stephen Smalley wrote:
> Yes, I'm still against (automatic, default) unioning of the
> capabilities by the linker - that is clearly not a safe default.
> semodule could possibly override that behavior based on an option
> though, at which point the %post scriptlet in the policy rpm could
> use that option if we wanted to force it w/o user intervention.

What do we want the behavior of this option to be? As I see it we have two choices:

1. perform a union instead of requiring equivalence
2. add capabilities as needed to binary modules in the store.

The advantage of 2) is that it would only need to happen once which makes it more "upgrade friendly".

• todd

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.