On Mon, Aug 18, 2003 at 12:41:42PM -0700, Michael Halcrow wrote: > I have an LSM that dissallows the following capabilities: > > CAP_SYS_MODULE > CAP_SYS_RAWIO > CAP_NET_ADMIN > It is not acceptable to disable or unload the module. I must be able > to add logic to address the special case where the user runs > /sbin/shutdown, /sbin/halt, or /sbin/reboot, or performs an action > that equates to a legal reboot or halt request by the administrator. I guess I don't understand your security goals. On one hand, you don't want /sbin/shutdown to function. On the other hand, you do want /sbin/shutdown to function. And I don't understand the criteria involved in deciding which rule should be followed when. What method of bypassing your capability checks are you interested in providing? Something like SELinux's newrole(8) to allow a "shutdown role"? Something like LIDS's "lids free session"? Or SubDomain's "unconfined process"? Or something like systrace's syscall mediation? Or something like LOMac's dynamic watermarking (e.g., any process that has communicated with the network is now no longer able to shutdown the machine). It depends on whatever it is you wish to accomplish. :) -- "Soon everyone will have an SUV, making roads obsolete and saving millions in highway costs." -- Mo Rocca
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 11:17:33 PDT