Steve Grubb wrote:
Hi,
I recenetly found out that the kernel now allows more than 32 capabilities.
This means I need to update the audit code that inteprets this value given
from SE Linux. When I looked over the 2.6.27 kernel code, I found that SE
Linux has not updated the capabilities code. Its still being kept as a simple
integer in avc.h, but everywhere else I look in the kernel has moved to
kernel_cap_t, which is an array. Are patches for moving to kernel_cap_t
scheduled for 2.6.28? Are there security implications for not being able to
access or control capabilities > 32?
SELinux added an additional object class (capability2) so as to not
extend the access vector.
The current object class looks like this:
class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
}
We can control them but they should never be hit on an SELinux system
anyway (IIUC)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
