On Wed, 29 Jul 2009, Stephen Smalley wrote: > So I think the only piece of the proposal that is orthogonal to SELinux > is privilege bracketing within the program (dropping caps after use). > But the changes to the file and directory permissions seem more > questionable.
Once we have access control on policy itself, we may be able to provide an API where an application can toggle a boolean on itself, e.g. to perform one action with broader permissions, then switch to a tighter set of permissions. This might be implementable in a way which also prevents applications from ever gaining more permissions (via typebounds). - James -- James Morris <[email protected]> -- fedora-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-devel-list
