Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Valdis . Kletnieks]

On Mon, 17 Apr 2006 22:26:24 BST, Alan Cox said:

(Two replies to this paragraph, addressing 2 separate issues....)

> You can implement a BSD securelevel model in SELinux as far as I can see
> from looking at it, and do it better than the code today, so its not
> really a feature drop anyway just a migration away from some fossils

If we heave the LSM stuff overboard, there's one thing that *will* need
addressing - what to do with kernel support of Posix-y capabilities.  Currently
some of the heavy lifting is done by security/commoncap.c.

Frankly, that's *another* thing that we need to either *fix* so it works right,
or rip out of the kernel entirely.  As far as I know, there's no in-tree way
to make /usr/bin/ping be set-CAP_NET_RAW and have it DTRT.

Attachment: pgp00000.pgp
Description: PGP signature