Re: [RFC] [PATCH] [0/6] LSM Stacking

From: Stephen Smalley
Date: Fri Nov 05 2004 - 11:57:55 EST

Next message: Jeff Garzik: "Re: Xen 2.0 Officially Released!"
Previous message: Adrian Bunk: "2.6.10-rc1-mm3: drm_ati_pcigart_{init,cleanup} multiple definition"
In reply to: Serge E. Hallyn: "Re: [RFC] [PATCH] [0/6] LSM Stacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-11-05 at 02:23, Valdis.Kletnieks@xxxxxx wrote:
> One issue: I'm seeing this from /usr/sbin/sendmail:
>
> % /usr/sbin/sendmail
> drop_privileges: setuid(0) succeeded (when it should not)
>
> I've not tracked down what's causing this indigestion yet (I suspect some
> bad interaction with capabilities - that's what caused that message to be
> added to Sendmail in the first place).

stacker module is granting capability if any security module allows it
under the view that the capable() hook is authoritative. But that is a
mistake; if you look at the existing stacking support in SELinux for
capabilities, we require both modules to approve the capability.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: Xen 2.0 Officially Released!"
Previous message: Adrian Bunk: "2.6.10-rc1-mm3: drm_ati_pcigart_{init,cleanup} multiple definition"
In reply to: Serge E. Hallyn: "Re: [RFC] [PATCH] [0/6] LSM Stacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]