On Fri, Jan 15, 2010 at 03:10, Michael Stone <michael@xxxxxxxxxx> wrote: > As promised, here are patches implementing and documenting a CAP_SETPCAP-gated > "enable" bit along with a couple of other tweaks discussed earlier in the > thread. For ease of development and review, the following four patches > extend the disablenetwork (v4) patch series rather than replacing it. To be honest, I'm still not convinced that this is the right way to approach your problem. I think you would be much better off with something analogous to the stripped-down SELinux policy I sent in an earlier email (150 lines, give or take). By using the appropriate SELinux hooks you can obtain the *exact* same enforcement, but without adding any code to the kernel. I have some time this week to split out my SELinux policy build machinery; I will pull out a standalone set of files to build the policy and do some extra testing on one of my bog-standard Debian boxes and then send it all out again. Cheers, Kyle Moffett -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
