Re: disable-cap-mlock
[Posted April 6, 2004 by corbet]
| From: |
| Stephen Smalley <sds-AT-epoch.ncsc.mil> |
| To: |
| Andrew Morton <akpm-AT-osdl.org> |
| Subject: |
| Re: disable-cap-mlock |
| Date: |
| Mon, 05 Apr 2004 08:13:51 -0400 |
| Cc: |
| Chris Wright <chrisw-AT-osdl.org>, andrea-AT-suse.de,
lkml <linux-kernel-AT-vger.kernel.org>, kenneth.w.chen-AT-intel.com |
On Fri, 2004-04-02 at 16:35, Andrew Morton wrote:
> Particularly as, apparently, the new security stuff STILL cannot solve the
> extremely simple Oracle-wants-CAP_IPC_LOCK requirement.
Actually, it can. With SELinux enabled, you run oracle as uid 0 in a TE
domain that is allowed to use CAP_IPC_LOCK (e.g. allow oracle_t
self:capability ipc_lock;) and no other capabilities, and you are done.
Naturally, you would need to define a domain for oracle. uid 0 has no
special significance to SELinux; it is only required to satisfy the
secondary module you stack with SELinux, i.e. dummy or capabilities, and
the ability to use capabilities is controlled by the TE policy.
Or, if you want to drop the need to use uid 0 entirely, you unhook the
secondary_ops from SELinux so that SELinux alone makes the capability
decisions. But that will require finer tuning of the policy
configuration.
None of this is to argue against fixing the base capability logic, just
to note that SELinux can control capability usage.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
