* Stephen Smalley (sds@private) wrote: > On Thu, 2005-08-25 at 09:21 -0700, Chris Wright wrote: > > * Stephen Smalley (sds@private) wrote: > > > On Thu, 2005-08-25 at 09:38 -0500, serue@private wrote: > > > > Ok, with the attached patch SELinux seems to work correctly. You'll > > > > probably want to make it a little prettier :) Note I have NOT ran the > > > > ltp tests for correctness. I'll do some performance runs, though > > > > unfortunately can't do so on ppc right now. > > > > > > Note that the selinux tests there _only_ test the SELinux checking. So > > > if these changes interfere with proper stacking of SELinux with > > > capabilities, that won't show up there. > > > > Sorry, I'm not parsing that? > > e.g. if secondary_ops->capable is null, the SELinux tests aren't going > to show that, because they will still see that the SELinux permission > checks are working correctly. They only test failure/success for the > SELinux permission checks, not for the capability checks, so if you > unhook capabilities, they won't notice. Yes, I see. I thought the tests you were referring to were "if (secondary_ops->capable)" not LTP tests. Capability is still a module that can be loaded (or built-in). So the only issue is it's security_ops is now NULL where it was a trivial return 0 function. Aside from the oversight Serge fixed, I don't think there's any issue. thanks, -chris
This archive was generated by hypermail 2.1.3 : Thu Aug 25 2005 - 10:06:55 PDT