Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > This means that it expects to trigger those capability checks as part of > its subsequent actions. Raising those capabilities temporarily in its > credentials will pass the capability module checks but won't address the > corresponding SELinux checks (both capability and file-based), so you'll > end up triggering an entire set of checks against the current process' > credentials. This same pattern is repeated elsewhere in overlayfs. Hmmm... Yes. I need to check whether the lower file can be read *before* overriding the creds. David _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
