From: Andrew Morgan <morgan@kernel.org>
To: casey@schaufler-ca.com
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
"Serge E. Hallyn" <serue@us.ibm.com>,
linux-kernel@vger.kernel.org, chrisw@sous-sol.org,
darwish.07@gmail.com, jmorris@namei.org, method@manicmethod.com,
paul.moore@hp.com,
LSM List <linux-security-module@vger.kernel.org>
Subject: Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree
Date: Fri, 23 Nov 2007 19:25:18 -0800 [thread overview]
Message-ID: <4747999E.4020201@kernel.org> (raw)
In-Reply-To: <739077.85064.qm@web36613.mail.mud.yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Casey Schaufler wrote:
> In the end we can call it CAP_LATE_FOR_DINNER if that's the only way
> I can move forward. CAP_MAC_OVERRIDE is the obvious partner to
> CAP_DAC_OVERRIDE, so that's still my preference. CAP_SMACK_OVERRIDE
> unnecessarily ties it to one LSM, and in spite of what some people
> still seem to think, I see more LSMs in the pipeline.
I'd personally not like to see SMACK appear in a capability name. No
offense Casey, but SMACK may be displaced with YAMAC (*) someday, and
I'd hate to have wasted a capability on it. Using CAP_MAC_OVERRIDE makes
sense to me - even if its not (yet/ever) honored by all MAC LSMs.
I do have a question about whether one capability is sufficient in
general for MAC. Looking at the:
http://wt.xpilot.org/publications/posix.1e/download.html
last draft, there are no less than 5 capabilities (p173) allocated for
MAC. Presumably there was a good reason for 5 and not 1 back then -
could you summarize what is different now?
Thanks
Andrew
(*) yet-another example of yet-another
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHR5mc+bHCR3gb8jsRAlB9AJsHPi1+fFp1ONKJCMFDpLS1lYG4AwCfYxMX
8aaU+sOBNHU01uldtrJ8cEI=
=/USy
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2007-11-24 3:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-20 22:06 + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree akpm
2007-11-21 15:48 ` Serge E. Hallyn
2007-11-21 15:51 ` Stephen Smalley
2007-11-21 17:04 ` Serge E. Hallyn
2007-11-21 17:21 ` Casey Schaufler
2007-11-21 18:02 ` Stephen Smalley
2007-11-21 19:19 ` Casey Schaufler
2007-11-24 3:25 ` Andrew Morgan [this message]
2007-11-24 4:47 ` Casey Schaufler
2007-11-24 6:09 ` Andrew Morgan
2007-11-24 11:39 ` Crispin Cowan
2007-11-24 19:16 ` Casey Schaufler
2007-11-25 2:07 ` Kyle Moffett
2007-11-25 3:36 ` Crispin Cowan
2007-11-26 17:36 ` Kyle Moffett
2007-11-26 19:55 ` Joshua Brindle
2007-11-24 11:39 ` Crispin Cowan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4747999E.4020201@kernel.org \
--to=morgan@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=darwish.07@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=method@manicmethod.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.