Thanks, guys - I also need to update the selinux classmap in both kernel and policy. Hoping to get around to that this afternoon, but not sure.
-serge Quoting Andrew G. Morgan ([email protected]): > Acked-by: Andrew G. Morgan <[email protected]> > > I concur with Kees. > > Cheers > > Andrew > > On Mon, Mar 8, 2010 at 10:58 AM, Kees Cook <[email protected]> wrote: > > Hi Serge, > > > > On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote: > >> Privileged syslog operations currently require CAP_SYS_ADMIN. Split > >> this off into a new CAP_SYSLOG privilege which we can sanely take away > >> from a container through the capability bounding set. > > > > Seems like a good idea, but it'll require code changes in libcap2, > > libcap-ng, as well as manpages. > > > > I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN, > > but this is a nice distinct subsystem to do now. > > > > Acked-By: Kees Cook <[email protected]> > > > > -- > > Kees Cook > > Ubuntu Security Team > > -- > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to [email protected] > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > _______________________________________________ Containers mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
