Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > It would seem to me that security_secctx_to_secid() ought to suffice if the > application code was written correctly. That's not quite sufficient as there still needs to be a verification step to make sure the caller is allowed to do this. > Be aware that factors outside the LSM may be important, too. As Stephen > points out elsewhere, Smack will require you have particular capabilities > (CAP_MAC_OVERRIDE, CAP_MAC_ADMIN) while a DAC LSM may require > CAP_DAC_OVERRIDE. For what? David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
