On Mon, 2008-03-31 at 14:07 -0400, Eric Paris wrote: > I know its way late but I'd like to add a new SELinux concept to the F9 > kernels. Its going to be a backport of a couple of my changesets headed > upstream > > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=32021b669089eb9b264e6b26af4d9a47eb50d4f1 > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=70d212ebfdd5e39a9d4fb0f8f7ea5c38486f6b04
The second patch is effectively a bug fix, as otherwise open(2) with flags 3 will fail ever since the dentry_open hook was added. So that one makes sense regardless of the permissive domains patches. > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=559dbbc87d0a5d2eb88bbbea5f2b66ee2dfd55d6 > > Only the third patch is truly interesting. > > A permissive domain is a new concept in which a sysadmin can say that a > given domain is free to do anything it wants. Lets say a user seriously > customized httpd and they want httpd to just be allowed to run wild > while still keeping enforcing for everything else in the system. With > the kernel patch I want to commit and the userspace changes dan has > already pushed this week they just need a simple policy which says > "permissive httpd_t" and all their httpd_t denials become allows! > > One of the upstream patches adds a BUG_ON() but I'm still a teensy bit > scared of it so in the F9 patch I'll probably make it a WARN_ON since it > isn't really deadly to the kernel... anyway. Chances of regression > here are very very low. > > I would just jam this in myself but we are getting really late and I > wanted people to be able to tell me no before I did it. If noone > strongly objects quickly expect to see a commit message early this > week.... -- Stephen Smalley National Security Agency _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
