A bid to resurrect Linux capabilities
Posted Sep 14, 2006 17:35 UTC (Thu) by kfiles
Parent article: A bid to resurrect Linux capabilities
I'm not sure I agree with the premise that no Linux distribution has shipped with active capabilities support, or that current capabilities support is inherently unusable due to the lack of inheritance.
For many years, I've used the highly-secure EngardeLinux distribution from Guardian Digital, which shipped with LIDS (http://www.lids.org) installed and enabled by default. Now, LIDS development is mostly bug-fixing at this point -- it's not pushing cutting edge features. However, for a manageable Mandatory Access Control system utilizing capabilities, it's quite nice. Like SELinux, it uses centralized ACL configuration rather than file attributes, which makes it a better fit for distributions than for package owners (See, e.g. AppArmor, as a solution that enables each package to ship its own ACLs).
to post comments)