Re: Assurance, permissiveness, and restriction

Previous message: Stephen Smalley: "Re: Assurance, permissiveness, and restriction"
In reply to: Stephen Smalley: "Re: Assurance, permissiveness, and restriction"
Next in thread: Stephen Smalley: "Re: Assurance, permissiveness, and restriction"
Next in thread: Casey Schaufler: "Re: Assurance, permissiveness, and restriction"
Reply: Stephen Smalley: "Re: Assurance, permissiveness, and restriction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sarnoldat_private

[Stephen, you are word-wrapping near 62 characters .. is this really
the size of your email client's window?]

On Mon, Jun 04, 2001 at 02:39:30PM -0400, Stephen Smalley wrote:
[process in FOO can override DAC on files type BAR]
> By replacing the guts of capable() with a call to the LSM
> hook, I get halfway there - I can allow a process in the
> FOO domain to override discretionary read restrictions
> on all files.  The per-file override ability would be nice,

A quick check of my version of the source code shows that we only have
opaque security blobs on the binprm or binfmts stuff. Shouldn't there
be more opaque blobs placed on objects (dentries in this case? Or
would inodes be preferred? Both?) to allow just this sort of policy
easily?

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module