On Tue, 2009-07-28 at 20:13 -0500, Serge E. Hallyn wrote: > Quoting Bill McGonigle (bill@xxxxxxxxxxxxxxxx): > > On 07/28/2009 04:11 PM, Chris Adams wrote: > > Still, is such a change less severe than changing what root means? Is > > Fedora that committed to SELinux? What's it going to take to make most > > people who shut off SELinux stop doing that? > > Moving to heavier exploitation of capabilities doesn't mean > stop using SELinux. Any more than finding and fixing buffer > overflows should only be done if we want to turn off selinux. Well, it isn't quite the same thing. Assignment of capabilities to specific processes running specific binaries is something that SELinux can already do via Type Enforcement. And preventing a uid 0 process from writing to system files is likewise something that SELinux can already do via Type Enforcement. So I think the only piece of the proposal that is orthogonal to SELinux is privilege bracketing within the program (dropping caps after use). But the changes to the file and directory permissions seem more questionable. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
