Alasdair G Kergon wrote:
On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
Why is CAP_SYS_ADMIN needed to access a disk device when device
permissions
are already present for this?
It is reading control information about the device, which is not the
same as reading the device itself.
A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.
For now, configuring sudo is the closest you can get.
----
Which is what I'm ending up doing...
putting 'sudo' in all my scripts.
It also means the 'lvs' command to show you how close your snapshots are
to full isn't readily available w/o sudo, (or building it into a script).
As for reading control information -- um....is there a reason why
the information
couldn't be exported through a /proc interface?
_______________________________________________
linux-lvm mailing list
linux-lvm@redhat.com
https://www.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
