On Mon, 2008-05-12 at 08:26 -0400, Stephen Smalley wrote: > On Mon, 2008-05-12 at 10:34 +1000, James Morris wrote: > > On Fri, 9 May 2008, Stephen Smalley wrote: > > > > > Simplify and improve the robustness of the SELinux ioctl checking by > > > using the "access mode" bits of the ioctl command to determine the > > > permission check rather than dealing with individual command values. > > > This removes any knowledge of specific ioctl commands from SELinux > > > and follows the same guidance we gave to Smack earlier. > > > > Looks good to me, let me know if you want it applied to for-akpm. > > Could we perhaps get it added to the F10/rawhide kernel for a while and > mention it on fedora-devel-list for people to look out for cases where > it causes any failures with existing policy? That will help us to know > whether we need to introduce a compatibility knob / policy capability > for it or if we can just make this change unconditionally. Eric - any indications of breakage in rawhide from this change? If not, then I think we can likely queue it up on the for-akpm branch and target 2.6.27. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
