Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > This means that it expects to trigger those capability checks as part of > its subsequent actions. Raising those capabilities temporarily in its > credentials will pass the capability module checks but won't address the > corresponding SELinux checks (both capability and file-based), so you'll > end up triggering an entire set of checks against the current process' > credentials. This same pattern is repeated elsewhere in overlayfs. Hmmm... Yes. I need to check whether the lower file can be read *before* overriding the creds. David -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
