I thought that both the kernel capability approach and SE Linux were designed to do just this: allow a typically "unpriviledged" process access to a restricted subset of capabilities that normally require rootpriviledge. Is this not correct? In your last paragraph above, when you say "unprivileged process" do you mean a standard unix process (ie an "unconfined_t" process in CentOS SE Linux) or do you mean any non-root process? My understanding was (and please correct me if I'm wrong), is that I can take a known process (eg many online examples use 'ping') and provide it with additional priviledges (eg raw socket access) that a non-root (in that sense, unprivileged) process normally wouldn't have.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 |
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
