On Mon, 2008-05-12 at 10:34 +1000, James Morris wrote: > On Fri, 9 May 2008, Stephen Smalley wrote: > > > Simplify and improve the robustness of the SELinux ioctl checking by > > using the "access mode" bits of the ioctl command to determine the > > permission check rather than dealing with individual command values. > > This removes any knowledge of specific ioctl commands from SELinux > > and follows the same guidance we gave to Smack earlier. > > Looks good to me, let me know if you want it applied to for-akpm. Could we perhaps get it added to the F10/rawhide kernel for a while and mention it on fedora-devel-list for people to look out for cases where it causes any failures with existing policy? That will help us to know whether we need to introduce a compatibility knob / policy capability for it or if we can just make this change unconditionally. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
