On Mon, 20 Jan 2003 01:08, Christoph Hellwig wrote: > On Fri, Jan 17, 2003 at 04:54:37PM -0500, Stephen D. Smalley wrote: > > This patch adds a LSM sysctl hook for controlling access to > > sysctl variables to 2.5.59, split out from the lsm-2.5 BitKeeper tree. > > SELinux uses this hook to control such accesses in accordance with the > > security policy configuration. > > I'm not very happy with this hook. This means every single security > module needs a list of all sensitive sysctl variables, i.e. we duplicate > information in (possible a large number of) different places. > > What's the reason you can't just live with DAC for sysctls? What exactly do you mean by "live with DAC" in this context? If you mean "allow UID==0 processes to do whatever they like" then it's not going to work for any sort of chroot setup. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Jan 19 2003 - 16:41:35 PST