|From:||Stephen Smalley <sds-AT-epoch.ncsc.mil>|
|To:||Andrew Morton <akpm-AT-osdl.org>|
|Date:||Mon, 05 Apr 2004 08:13:51 -0400|
|Cc:||Chris Wright <chrisw-AT-osdl.org>, andrea-AT-suse.de, lkml <linux-kernel-AT-vger.kernel.org>, kenneth.w.chen-AT-intel.com|
On Fri, 2004-04-02 at 16:35, Andrew Morton wrote: > Particularly as, apparently, the new security stuff STILL cannot solve the > extremely simple Oracle-wants-CAP_IPC_LOCK requirement. Actually, it can. With SELinux enabled, you run oracle as uid 0 in a TE domain that is allowed to use CAP_IPC_LOCK (e.g. allow oracle_t self:capability ipc_lock;) and no other capabilities, and you are done. Naturally, you would need to define a domain for oracle. uid 0 has no special significance to SELinux; it is only required to satisfy the secondary module you stack with SELinux, i.e. dummy or capabilities, and the ability to use capabilities is controlled by the TE policy. Or, if you want to drop the need to use uid 0 entirely, you unhook the secondary_ops from SELinux so that SELinux alone makes the capability decisions. But that will require finer tuning of the policy configuration. None of this is to argue against fixing the base capability logic, just to note that SELinux can control capability usage. -- Stephen Smalley <firstname.lastname@example.org> National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds