On Sun, Mar 23, 2008 at 2:40 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > --- Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > > > > --- cinthya aranguren <cinthya.aranguren@xxxxxxxxx> wrote: > > > > > Hi, > > > > > > Is there any way to avoid o remove DAC controls ? I'd like to have only one > > > security scheme in my system. I mean a pure SElinux system. not DAC + MAC. > > > only MAC. > > > > No. > > > > Well, not today. > > I will add that if every process runs with CAP_DAC_OVERRIDE set > you can approach "no DAC", but I think you would probably have > to dig very deeply into the behavior of security cognizant > applications (sendmail comes to mind) and make sure that they > aren't explictly dropping that capability. I will let those > who work more closely with SELinux policy than I do describe > how capabilities possessed are related to an SELinux policy > and how that might impact the behavior of SELinux. You should > also note that SELinux takes what are traditionally DAC > attributes into account when making decisions and that if you > use MCS you are using a DAC mechanism within SELinux. I'm not > saying that's bad, just that it's there. > This is a good point. I will experiment with CAP_DAC_OVERRIDE. but .. why SELinux take DAC attributes into account when making decisions ?? this does not violate the separation of "policy" from "Enforcement" ?? > > > > Casey Schaufler > casey@xxxxxxxxxxxxxxxx > Cinthya. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
