From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l5C00WTc018908 for ; Mon, 11 Jun 2007 20:00:32 -0400 Received: from web36601.mail.mud.yahoo.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with SMTP id l5C00UUh004583 for ; Tue, 12 Jun 2007 00:00:31 GMT Date: Mon, 11 Jun 2007 17:00:19 -0700 (PDT) From: Casey Schaufler Reply-To: casey@schaufler-ca.com Subject: Re: [RFC][PATCH] selinux: enable authoritative granting of capabilities To: James Morris , Casey Schaufler Cc: "Serge E. Hallyn" , Stephen Smalley , selinux@tycho.nsa.gov, Eric Paris In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-ID: <114874.10803.qm@web36601.mail.mud.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --- James Morris wrote: > On Mon, 11 Jun 2007, Casey Schaufler wrote: > > > and dealing with interactions with them. My only concern is that you > > seem to be sneaking around the "additional restrictions" LSM model, > > with the justification being that the bit you're taking authority over > > is also an LSM module. > > SELinux itself stacks capabilities as a secondary module, and thus already > has full authority over the LSM in the coarse sense of whether it is > actually loaded or not. You betcha. To date it has always respected the denials generated by the mechanism, however. If the leading advanced security scheme (SELinux) asserts authority over another scheme (capabilities) such that the latter is perceived to behave differently when the system has been "secured" (even though it is in fact SELinux that is changing its behavior) the untrained observer may reasonably assume that the "new" behavior is more secure than the old even though it may actually be less restrictive. I would prefer that the pretext of "stacking" with capabilities be abandoned if the plan is to ignore the "additional restrictions" rule. As you say, SELinux already has full authority over capabilities by virtue of linkage and the lack of real stacking. Casey Schaufler casey@schaufler-ca.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.