>>>>> "Jack" == Jack O'Quin <joq@xxxxxx> writes:
>> Hmm. There is some discussion if the LSM is actually very
>> secure. That why RSBAC is not using/is implemented as an LSM,
>> but of course there is always discussions...
Jack> All the complaints I've seen about LSM were rather vague,
Jack> and mostly seem motivated by discontent that someone else's
Jack> security hooks got introduced into the mainline kernel. The
Jack> current hooks are quite adequate for my simple needs.
Jack> Do you know of any specific security problems that I should
Jack> watch out for? None have been mentioned on the
Jack> linux-security-module mailing list.
I don't know about any security bugs for LSM. I haven't even tried
it. (As I mentioned I cannot upgrade to 2.6 kernel at the moment)
But I don't think the arguments a vague...http://rsbac.org/lsm.htm
>> I was actualy thinking about if I could use EA/ACL and/or rsbac
>> or grsecurity, for granting specific users running specific
>> executables the Realtime capability
Jack> That would be nice. How would you propose to go about it?
Jack> To have any traction as a general solution for Linux Audio,
Jack> a solution needs to be based on generally-available code.
Jack> There is no point in telling users or distibutions: "apply
Jack> this 30,000-line patch to your kernel, then tag the
Jack> following 127 files with Access Control Lists." It won't
Jack> happen. -- joq
I agree about that it should be easy, or else it will not be used, but
you have to use some kind of ACL's to grant specific Capabilities to
specific executables depeding on which user runs the executable.
Sorry about starting this discussion. I was only interested how people
used jack being nonroot. I just thought that someone maybe used
rsbac,grsecurity, or selinux to do this.
/Hasse
