Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: [patch 0/2] policy capability support
From: Christopher J. PeBenito <cpebenito_at_tresys.com>
Date: Thu, 06 Dec 2007 13:34:30 -0500
Most likely via policy_module().
> - If we go with the first or the last options, what about modules that I would put forth that the idea of dont-care doesn't really exist. If you know about it but don't care about it, whats the difference between dont-care and enable? If you don't know about it, then you can't say that you don't care, and making dont-care the default would be bad, since that would tend towards enabling new caps, causing the problems we're trying to avoid :)
> - The intersection behavior assumes that new policy will always preserve I suppose it depends on how people (ab)use the caps. Josh made the case to me that some people might want to intentionally disable controls because they don't care about them or they want to try to boost performance (e.g. networking pieces). Beyond that, I suppose it depends on how far back we want to go. For example, RHEL4 is ancient by SELinux standards, but its going to be around for a long time, so we have some distro_rhel4 blocks in refpolicy. Eventually RHEL4 will be out of support, and then we can drop them. I don't have a problem with it, but I also don't know how many and how fast we're going to gain caps.
> How do we ultimately Move them out of conditionals? Or are you suggesting having a way to make warnings into errors after a reasonable amount of upgrade time?
> Will all such capabilities be amenable to Good question. I forgot my crystal ball at home :( Will things beyond permission changes be supported under this?
> - I'd tend to expect most users to not notice the disabled caps warning Perhaps Dan or some of the other RH people can comment on this, but I was under the impression that unusual console messages tend to be noticed. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 6 Dec 2007 - 13:34:58 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |