Re: sys_setpriority error

From: Stephen Smalley (sdsat_private)
Date: Thu May 31 2001 - 05:57:28 PDT

  • Next message: Stephen Smalley: "Re: sys_setpriority error"

    On 31 May 2001, David Wagner wrote:
    > I'm still quite concerned about only supporting 'permissive' policies
    > (and not supporting 'restrictive' policies) for some actions.
    > How does this affect the other projects?  Do the SELinux folks want
    > to enforce 'restrictive' policies for any hooks that are currently
    > 'permissive'-only, for instance, or is everything fine as is?
    The SELinux module needs to be able to implement more restrictive
    policies for all of the hooks.  In the setpriority example, we need
    to be able to prevent a process from setting the priority of another
    process even if it has the same Linux uid (e.g. if SELinux is being
    used with its Type Enforcement policy module, then the 'setsched'
    permission must be granted between the domains of the two processes,
    even if the uids are the same).
    In the original SELinux prototype (i.e. the one available at, we strictly implemented
    more restrictive controls, i.e. SELinux may deny permissions that
    would normally be granted but it cannot grant permissions that would
    normally be denied.  Ideally, in the longer term, we would also
    like to be able to override denials in a similar manner to the
    capabilities model - See
    for a discussion of how Type Enforcement compares with the POSIX
    Capability Model.  
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 05:59:41 PDT