Stephen Smalley wrote: > > On Mon, 4 Jun 2001, Casey Schaufler wrote: > > > Err, it was on the selinux list. Someone wants a policy > > which modifies the DAC policy under certain MAC conditions. > > It was something on the order of "users cleared for TS > > can read UNCLASS data regardless of the file permissions." > > You can't do that if the traditional DAC checks are done > > outside the policy module. > > I've previously suggested (both on this list and on the > selinux list) that it would be nice to be able to provide > this kind of functionality (...). By > replacing the guts of capable() with a call to the LSM > hook, I get halfway there - I can allow a process in the > FOO domain to override discretionary read restrictions > on all files. I guess that's my point. Sure, you can kludge it up so that it sorta works the way you'd like in this case, but it sure ain't generally useful. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 12:07:32 PDT