On Mon, 26 Nov 2007 12:38:56 -0800 Casey Schaufler <[EMAIL PROTECTED]> wrote:
> From: Casey Schaufler <[EMAIL PROTECTED]> > > This patch takes advantage of the increase in capability bits > to allocate capabilities for Mandatory Access Control. Whereas > Smack was overloading a previously allocated capability it is > now using a pair, one for overriding access control checks and > the other for changes to the MAC configuration. > > The two capabilities allocated should be obvious in their intent. > The comments in capability.h are intended to make it clear that > there is no intention that implementations of MAC LSM modules > be any more constrained by the presence of these capabilities > than an implementation of DAC LSM modules are by the analogous > DAC capabilities. > > > + !__capable(current, CAP_MAC_ADMIN)) > + !__capable(current, CAP_MAC_ADMIN)) Is there any reason for not using plain old capable() here? - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html