On Tue, 2 Apr 2002, Russell Coker wrote: > It doesn't seem to work at all. But I guess this is the SE Linux and OWLSM > stacking issue. At present, the SELinux security module only calls the secondary security module for the small set of hooks that are implemented by either the dummy or capabilities security modules. Furthermore, the stacking for some of the dummy/capability hooks is transparently handled merely by stacking the capable hook, since some of the hook functions are implemented entirely in terms of capable() calls. It would be straightforward to change the SELinux module to always invoke the secondary security module for every hook (at some cost in overhead), and this would provide greater generality, but you still need to understand how the modules might interact and you need to ensure that they do not conflict in terms of their useage of the security fields. If we were to change the SELinux module in this way, you could then probably stack SELinux+OWLSM as long as you disabled the OWLSM options that use the security field, but you would still need to address the hardwired superuser logic in OWLSM and the current inability to stack multiple secondary modules in order to stack SELinux+capabilities+OWLSM. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 05:38:03 PST