From: Russell Coker <russell@coker.com.au>
To: Christoph Hellwig <hch@infradead.org>,
"Stephen D. Smalley" <sds@epoch.ncsc.mil>
Cc: linux-kernel@vger.kernel.org, linux-security-module@wirex.com
Subject: Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59
Date: Mon, 20 Jan 2003 01:39:39 +0100 [thread overview]
Message-ID: <200301200139.39092.russell@coker.com.au> (raw)
In-Reply-To: <20030120000853.A9023@infradead.org>
On Mon, 20 Jan 2003 01:08, Christoph Hellwig wrote:
> On Fri, Jan 17, 2003 at 04:54:37PM -0500, Stephen D. Smalley wrote:
> > This patch adds a LSM sysctl hook for controlling access to
> > sysctl variables to 2.5.59, split out from the lsm-2.5 BitKeeper tree.
> > SELinux uses this hook to control such accesses in accordance with the
> > security policy configuration.
>
> I'm not very happy with this hook. This means every single security
> module needs a list of all sensitive sysctl variables, i.e. we duplicate
> information in (possible a large number of) different places.
>
> What's the reason you can't just live with DAC for sysctls?
What exactly do you mean by "live with DAC" in this context? If you mean
"allow UID==0 processes to do whatever they like" then it's not going to work
for any sort of chroot setup.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
next prev parent reply other threads:[~2003-01-20 0:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-17 21:54 [RFC][PATCH] Add LSM sysctl hook to 2.5.59 Stephen D. Smalley
2003-01-20 0:08 ` Christoph Hellwig
2003-01-20 0:39 ` Russell Coker [this message]
2003-01-20 0:43 ` Christoph Hellwig
2003-01-20 1:05 ` Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2003-01-21 14:51 Stephen D. Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301200139.39092.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@wirex.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox