Stephen Smalley wrote: > BTW, it is important to remember here that targeted policy doesn't try > to confine users (just specific programs and daemons) and that > relabeling /etc/passwd or other system files doesn't give the user any > greater access since he is already unconfined as far as SELinux is > concerned. That's true for SELinux policy itself. However, the linux kernel _does_ confine users, independent of "external [to the kernel]" SELinux policy, as an unavoidable part of the complete selinux package. Namely, the restrictions on execmod and execmem can make life difficult for legitimate software which uses non-mainstream techniques to achieve higher performance and/or create a richer debugging environment. Even in targeted mode, SELinux has greater-than-zero operational costs for non-targeted software. -- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
