On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote: > Why is CAP_SYS_ADMIN needed to access a disk device when device > permissions > are already present for this? It is reading control information about the device, which is not the same as reading the device itself. A global CAP_SYS_ADMIN restriction is easy to implement and audit. Anything else increases complexity and security exposure and like I said, there's simply been hardly any demand to implement it - nor has there been demand for proper selinux integration. For now, configuring sudo is the closest you can get. Alasdair _______________________________________________ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
