Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Casey Schaufler wrote:
snip
Smack provides mandatory access controls based on the label attached
to a task and the label attached to the object it is attempting to
access. Smack labels are deliberately short (1-7
On Tue, 2007-07-17 at 19:59 -0700, Casey Schaufler wrote:
- Speaking of which, are you ok with your MAC model being overridden by
all uid 0 processes? Or do you plan to change securebits and use file
caps?
I've been tracking the file caps closely. I like file capabilities,
but I have
On Sat, 2007-07-14 at 12:37 -0400, James Morris wrote:
Convert LSM into a static interface, as the ability to unload a security
module is not required by in-tree users and potentially complicates the
overall security architecture.
Needlessly exported LSM symbols have been unexported, to help
Casey Schaufler wrote:
Today's implementation of sshd is a hack, just enough to get
things going. Longer term I expect users to have a list of
labels they can use. sshd currently uses /etc/smack/user,
which contains lines like:
method manic
casey loony
with future support for:
Quoting Andrew Morgan ([EMAIL PROTECTED]):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge,
I spent the evening getting my local build of libcap (building the
libcap/progs/old/setcap and getcap tools) working with the new kernel
support.
It seems there is a basic insecurity bug in
On Wed, 2007-07-18 at 12:53 -0500, Serge E. Hallyn wrote:
Quoting Andrew Morgan ([EMAIL PROTECTED]):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge,
I spent the evening getting my local build of libcap (building the
libcap/progs/old/setcap and getcap tools) working with the
On Wed, 2007-07-18 at 14:03 -0400, Stephen Smalley wrote:
On Wed, 2007-07-18 at 12:53 -0500, Serge E. Hallyn wrote:
Quoting Andrew Morgan ([EMAIL PROTECTED]):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge,
I spent the evening getting my local build of libcap (building
Quoting Stephen Smalley ([EMAIL PROTECTED]):
On Wed, 2007-07-18 at 12:53 -0500, Serge E. Hallyn wrote:
Quoting Andrew Morgan ([EMAIL PROTECTED]):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge,
I spent the evening getting my local build of libcap (building the
--- Stephen Smalley [EMAIL PROTECTED] wrote:
On Sat, 2007-07-14 at 14:47 -0700, Casey Schaufler wrote:
Smack is the Simplified Mandatory Access Control Kernel.
...
A file always gets the Smack label of the task that created it.
Smack defines and uses these labels:
* -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge E. Hallyn wrote:
For suid, this is handled by remove_suid - notify_change with
ATTR_KILL_SUID/SGID. No equivalent for security xattrs presently.
I assume we're all agreed that we do in fact want to treat
security.capability xattrs like
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Casey Schaufler wrote:
...
I do have a hackish newsmack command, which I should probably include.
All it does is write the new label to /proc/self/attr/current and
exec the desired program. That's not good enough for a production
On Wed, 18 Jul 2007, Andrew Morton wrote:
The SECURITY_FRAMEWORK_VERSION macro has also been removed.
I'd like to understand who is (or claims to be) adversely affected by this
change, and what their complaints (if any) will be.
Because I prefer my flamewars pre- rather than post-merge.
On Wed, 18 Jul 2007, James Morris wrote:
On Wed, 18 Jul 2007, Andrew Morton wrote:
The SECURITY_FRAMEWORK_VERSION macro has also been removed.
I'd like to understand who is (or claims to be) adversely affected by this
change, and what their complaints (if any) will be.
Because I prefer my
--- Stephen Smalley [EMAIL PROTECTED] wrote:
On Tue, 2007-07-17 at 19:59 -0700, Casey Schaufler wrote:
- Speaking of which, are you ok with your MAC model being overridden by
all uid 0 processes? Or do you plan to change securebits and use file
caps?
I've been tracking the
14 matches
Mail list logo