On Wednesday 29 July 2009 09:49:29 am Serge E. Hallyn wrote: > > There was a patch floated on selinux list circa June 2007 that would > > have allowed SELinux to directly grant capabilities. But it met a > > certain amount of resistance from people concerned about the > > implications of changing the historical position that SELinux only > > further restricts access and about how to handle states like permissive > > mode, selinux-disabled, etc seamlessly. > > > > http://marc.info/?l=selinux&m=118159187318524&w=2 > > http://marc.info/?l=selinux&m=118192327422630&w=2 > > http://marc.info/?l=selinux&m=118191791828777&w=2 > > I suppose the main problem with relying on this for granting privilege > to system processes would be that if the selinux policy wasn't loaded > for some reason, such processes (sshd, login, ...) would fail. There is also the argument that what we've been teaching people for years is that SE Linux strips away privileges and doesn't grant them. Changing the model would be somewhat confusing. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list