On 11/30/21 12:27, Casey Schaufler wrote:
On 11/30/2021 8:06 AM, Stefan Berger wrote:
From: Denis Semakin <denis.semakin@xxxxxxxxxx>
This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.
Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.
Fine by me. I suppose we could be reusing it later on also for setting
file extended attributes for IMA?
Stefan
