Re: c2 (or c2-like) auditing for Linux

• Previous message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"
• Maybe in reply to: Nathan Bardsley: "c2 (or c2-like) auditing for Linux"
• Next in thread: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> How can capabilities override MAC checks?  We have DAC_OVERRIDE capability but 
> no MAC_OVERRIDE...

I think that POSIX.1e defines capabilities for overriding MAC restrictions
as well, although Linux doesn't presently define them.  However, SELinux 
provides a better mechanism for this purpose, as I've discussed previously,
http://marc.theaimsgroup.com/?l=selinux&m=97922666422991&w=2.

--
Stephen Smalley, NSA
sdsat_private

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Previous message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"
• Maybe in reply to: Nathan Bardsley: "c2 (or c2-like) auditing for Linux"
• Next in thread: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:39:28 PST