On Sun, 12 Oct 2008, Joshua Brindle wrote:
> Steve Grubb wrote:
> > Hi,
> >
> > I recenetly found out that the kernel now allows more than 32 capabilities.
> > This means I need to update the audit code that inteprets this value given
> > from SE Linux. When I looked over the 2.6.27 kernel code, I found that SE
> > Linux has not updated the capabilities code. Its still being kept as a
> > simple integer in avc.h, but everywhere else I look in the kernel has moved
> > to kernel_cap_t, which is an array. Are patches for moving to kernel_cap_t
> > scheduled for 2.6.28? Are there security implications for not being able to
> > access or control capabilities > 32?
> >
>
> SELinux added an additional object class (capability2) so as to not extend the
> access vector.
>
> The current object class looks like this:
> class capability2
> {
> mac_override # unused by SELinux
> mac_admin # unused by SELinux
> }
>
> We can control them but they should never be hit on an SELinux system anyway
> (IIUC)
mac_admin is used to set and view deferred labels.
--
James Morris
<jmorris@xxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
