Re: 2.6.6-mm1

[Chris Wright]

* Chris Wedgwood (cw@xxxxxxxx) wrote:
> On Mon, May 10, 2004 at 03:02:03PM -0700, Andrew Morton wrote:
> 
> > Capabilities are broken and don't work.  Nobody has a clue how to
> > provide the required services with SELinux and nobody has any code
> > and we need the feature *now* before vendors go shipping even more
> > ghastly stuff.
> 
> eh? magic groups are nasty...  and why is this needed?  can't
> oracle/whatever just run with a wrapper to give the capabilities out
> as required until a better solution is available

I agree.  I have a patch that at least fixes this bit of capabilities
(currently, what you suggest doesn't work right), which could easily be
dusted off and resent.

And while we're at it, it would be nice to have the working bits of
memlock rlimits going.  At least the mlock() users would get some help
(i.e. gpg).  Another bit I could resend (removing the broken shm bits,
of course).  It's just those pesky shm segs having their own lifecycle
which breaks the hugetlb and SHM_LOCK attempts to use memlock rlimits.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/