Casey Schaufler wrote:
--- Crispin Cowan [EMAIL PROTECTED] wrote:
Dr. David Alan Gilbert wrote:
...
Can you explain why you want a non-privileged user to be able to edit
policy? I would like to better understand the problem here.
Note that John Johansen is also interested in allowing
Joshua Brindle wrote:
Casey Schaufler wrote:
From: Paul Moore [EMAIL PROTECTED]
Add a new set of configuration functions to the NetLabel/LSM API so that
LSMs can perform their own configuration of the NetLabel subsystem
without
relying on assistance from userspace.
I'm still not receiving
Casey Schaufler wrote:
The Smack patch and Paul Moore's netlabel API patch,
together for 2.6.24-rc1. Paul's changes are identical
to the previous posting, but it's been a while so they're
here again.
The sole intent of change has been to address locking
and/or list processing issues. Please
Casey Schaufler wrote:
The Smack patch and Paul Moore's netlabel API patch,
together for 2.6.24-rc1. Paul's changes are identical
to the previous posting, but it's been a while so they're
here again.
The sole intent of change has been to address locking
and/or list processing issues. Please
Andi Kleen wrote:
- hm, netlabels. Who might be a suitable person to review that code?
Seems that Paul Moore is the man. Maybe he'd be interested in taking a
look over it (please?)
I personally consider these IP options it uses to be pretty useless. Who could
ever use that without
Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Since unprivileged programs (the origin, guard, and publication
daemons in smackguard run without privilege) can't change their
Smack labels establishing a pipe between processes with different
labels is not possible without
Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
... On the guard
implementation I'd like to note that assured pipelines are pretty hard
to get right. Without object class and create
Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
... On the guard
implementation I'd like to note that assured pipelines are pretty hard
to get right. Without object class and create granularity (at the very
least) you might find it very difficult to control backflow
Casey Schaufler wrote:
+static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
+{
+ smack_t *ssp = smack_of_shm(shp);
+ int rc;
+
+ if (ssp == NULL)
+ return 0;
+
+ rc = smk_curacc(ssp, MAY_READWRITE);
+ return rc;
+}
No read-only
Casey Schaufler wrote:
--- Joshua Brindle [EMAIL PROTECTED] wrote:
Casey Schaufler wrote:
snip
Smack provides mandatory access controls based on the label attached
to a task and the label attached to the object it is attempting to
access. Smack labels are deliberately short (1-7
Casey Schaufler wrote:
Today's implementation of sshd is a hack, just enough to get
things going. Longer term I expect users to have a list of
labels they can use. sshd currently uses /etc/smack/user,
which contains lines like:
method manic
casey loony
with future support for:
Casey Schaufler wrote:
snip
Smack provides mandatory access controls based on the label attached
to a task and the label attached to the object it is attempting to
access. Smack labels are deliberately short (1-7 characters) text
strings. Single character labels using special characters are
Lars Marowsky-Bree wrote:
On 2007-06-21T16:59:54, Stephen Smalley [EMAIL PROTECTED] wrote:
snip
Um, no. It might not be able to directly open files via that path, but
showing that it can never read or write your mail is a rather different
matter.
Yes. Your use case is different than
[EMAIL PROTECTED] wrote:
On Thu, 21 Jun 2007, Joshua Brindle wrote:
Lars Marowsky-Bree wrote:
On 2007-06-21T16:59:54, Stephen Smalley [EMAIL PROTECTED] wrote:
snip
Um, no. It might not be able to directly open files via that
path, but
showing that it can never read or write your
[EMAIL PROTECTED] wrote:
On Sat, 9 Jun 2007, Sean wrote:
snip
what SELinux cannot do is figure out what label to assign a new file.
Nit: SELinux figures out what to label new files fine, just not based on
the name. This works in most cases, eg., when user_t creates a file in
/tmp it
15 matches
Mail list logo