Re: [PATCH 5/5] Remove unnecesary capability hooks in rootplug.

From: Chris Wright (chrisw@private)
Date: Thu Aug 25 2005 - 10:06:17 PDT


* Stephen Smalley (sds@private) wrote:
> On Thu, 2005-08-25 at 09:21 -0700, Chris Wright wrote:
> > * Stephen Smalley (sds@private) wrote:
> > > On Thu, 2005-08-25 at 09:38 -0500, serue@private wrote:
> > > > Ok, with the attached patch SELinux seems to work correctly.  You'll
> > > > probably want to make it a little prettier  :)  Note I have NOT ran the
> > > > ltp tests for correctness.  I'll do some performance runs, though
> > > > unfortunately can't do so on ppc right now.
> > > 
> > > Note that the selinux tests there _only_ test the SELinux checking.  So
> > > if these changes interfere with proper stacking of SELinux with
> > > capabilities, that won't show up there.  
> > 
> > Sorry, I'm not parsing that?
> 
> e.g. if secondary_ops->capable is null, the SELinux tests aren't going
> to show that, because they will still see that the SELinux permission
> checks are working correctly.  They only test failure/success for the
> SELinux permission checks, not for the capability checks, so if you
> unhook capabilities, they won't notice.

Yes, I see.  I thought the tests you were referring to were 
"if (secondary_ops->capable)" not LTP tests.  Capability is still a
module that can be loaded (or built-in).  So the only issue is it's
security_ops is now NULL where it was a trivial return 0 function.
Aside from the oversight Serge fixed, I don't think there's any issue.

thanks,
-chris



This archive was generated by hypermail 2.1.3 : Thu Aug 25 2005 - 10:06:55 PDT