Thanks, guys - I also need to update the selinux classmap in both kernel and policy. Hoping to get around to that this afternoon, but not sure. -serge Quoting Andrew G. Morgan (morgan@xxxxxxxxxx): > Acked-by: Andrew G. Morgan <morgan@xxxxxxxxxx> > > I concur with Kees. > > Cheers > > Andrew > > On Mon, Mar 8, 2010 at 10:58 AM, Kees Cook <kees@xxxxxxxxxx> wrote: > > Hi Serge, > > > > On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote: > >> Privileged syslog operations currently require CAP_SYS_ADMIN. Split > >> this off into a new CAP_SYSLOG privilege which we can sanely take away > >> from a container through the capability bounding set. > > > > Seems like a good idea, but it'll require code changes in libcap2, > > libcap-ng, as well as manpages. > > > > I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN, > > but this is a nice distinct subsystem to do now. > > > > Acked-By: Kees Cook <kees.cook@xxxxxxxxxxxxx> > > > > -- > > Kees Cook > > Ubuntu Security Team > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers