-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A long time ago Eric Paris hinted that the policy WRT dac_override could probably be cleaned up. I suspect that most of the the time dac_override is not needed (too coarse). Instead dac_read_search would be sufficient for the common scenario where root processes traverse locations where it doesn't have DAC permissions to traverse. The problem is that dac_override seems to be checked first. but dac_override , if i understand it, is broader than dac_read_search so why is dac_read_search not checked before dac_override? - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW8rXyAAoJECV0jlU3+Udpn0cL/RLXUaoUX2RB4xXu38V1iUZV bLBufRWG3IND7j+AvaSt7ARCgkaSrZpoVDbxhwqKQGmjU1fkbUIBAOug/9jNeLIK ZjMeey4xZPEC908jfVtaJK6V8nldW/DiDhoH/6maXdd53Ta0+p1v5i8aw8zXgkyD PQoAUHamZnyz51s+HCsW8NsGUYkepwmoZ5bBUkmjwcqOtpIXa47NDviiKzEeF4R+ Tsbim70zTgMEMrjVRqB+5GkIVSI1NKEAkER5JCPMeDsM5u075wkPX7ZWS37fKg9f 4CGLWjNoeokAkRI/rRBVTNDFEmxEIBzv93JYjkCxtqxOG8a39I5dT2FgiGyu4VQf Rxi+DpQgKIQDB9qJgO3iOJYlPvihozxTc6X9mwzkfSbLG2fqQ8VPrl8v6A12zCTZ BiMZhIFZUwF3x9GNMAizq2mMZsVMslxXkoExH/+Eyb3IEx7Wsy9z9/eYS0ES74e7 KQEODr5Otp6joiwObkPJX9THXn6C+SC8fYA5hUofVA== =SCuN -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
