* Stephen D. Smalley (sdsat_private) wrote: > > > Even just having them in the kernel context would be an improvement over the > > current situation. > > > > We have just had to change polity to allow the init program greater access > > than it would otherwise require because a kernel thread needed more access, > > which is not desirable. > > This can be handled just by changing the selinux_task_reparent_to_init > hook function to use a different SID. Not clear what that SID should > be, e.g. the kernel SID (maps to kernel_t, presently assigned to the > initial task), the kmod SID (maps to kmod_t, formerly assigned for > kernel module loader and hotplug), or a completely new initial SID and > domain. I'd have figured kernel_t. The way I see it, /sbin/init is a program that has a well defined domain entrance point (execve()), and doesn't have the same privilege requirements as the initial kernel threads. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 09:24:18 PST