Um, the only problem I have is getting the executable I write to be "full permission" on a variety of systems. I guess it would be appropriate for it to be set the same priority via DTE or module-manual methods as the executable being installed, but I am somewhat uncertain as to how this can be done in a "cross-module" manner. INODES would be different, and that's the key (by design, near as I can figure.) Names could be the same. Any advice would be useful, or any modifications to the LSM interface that would support it would be useful. I know that "having knowledge" of permissions are specifically out-spec, but Wouldn't it be more useful to be able, in a standard-interface sort of way, to be able to temporarily give an INSTALL type script/application the same permissions as another application (the installed software) would get? Call a hook with the name of the application as installed, for example, and require the module to assign "cloned" permissions? In essence, a standard way to communicate to the module to "interpret my permissions as if I was XYZ"... leaving it to the module to determine if the test program has a right to ask that? I think this sort of thing might be necessary for LSM to be generally accepted. Sincerely, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ On Thu, 24 Jan 2002, Seth Arnold wrote: > On Thu, Jan 24, 2002 at 05:03:01PM -0500, jmjonesat_private wrote: > > If no "standard" is adopted, I will write an application that can check > > multiple accesses, hopefully to be included with the "standard package". > > Is this beyond the realm of reasonable? > > Probably. It is my understanding that the Openwall-ish module, DTE, > SELinux, and whatever else we accumulate, will not actually be included > in our proposal to Linus for inclusion in Linux 2.5. Only the superuser > (dummy) and capabilities modules will be included, and shipped with the > kernel, if we get it accepted. > > Thus, any such LSM-ClueBat application as Crispin proposed would > necessarily be distributed through non-LSM channels.. > > -- > "In God we trust, all others we monitor." > -- NSA, Intercept Operators's motto, 1970 > _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 14:31:35 PST