be that an updated policy is weaker for some
reason) -- but it doesn't matter, there should be no way to change MAC
policy without MAC privilege.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
the operation is running at
full privilege.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
of well-established security benefit in
moving away from the simple model of using a root/wheel account (or sudo)
for admin and a separate user account for everything else.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https
and the administrator are no
longer really separated? Things seem to be regressing according to
whatever use-case some desktop developer thinks is important at the time.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com
is rebooted?
One scenario here is where the admin has made local modifications, which
are then discarded by an upgrade of the policy. It should not be
possible.
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo
and
not enabled by simply installing a package.)
Good.
Executive summary
=
We'll make an update to the F12 PackageKit, so that the root password is
required to install packages.
Also good :-)
Thanks for getting this resolved so quickly.
- James
--
James Morris
jmor
How might this affect the Fedora kernel?
-- Forwarded message --
Date: Tue, 10 Nov 2009 08:07:39 -0600
From: Serge E. Hallyn se...@us.ibm.com
To: lkml linux-ker...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org, Andrew Morgan mor...@kernel.org,
Steve Grubb
more permissions (via typebounds).
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
process
which has this capability, and how the propagation of that privilege is
bounded within the system as a whole.
We can do that with SELinux (in fact it's been somehwat designed for this
purpose), and that's how we should approach the problem.
- James
--
James Morris
jmor...@namei.org
.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
and tighter security policy (e.g.
SELinux MAC) is to help reduce the impact of bugs (and misconfiguration)
when they occur.
- James
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
--
James Morris
jmor...@namei.org
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
--
James Morris
[EMAIL PROTECTED]
___
Fedora-kernel-list mailing list
Fedora-kernel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-kernel-list
/
Signed-off-by: Stephen Smalley [EMAIL PROTECTED]
Signed-off-by: James Morris [EMAIL PROTECTED]
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f83b19d..4bf715d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1744,6 +1744,9
normal users (you need to specially configure ipsec for
anything to happen).
Do we have the userland patches for racoon etc. in Fedora ?
- James
--
James Morris
[EMAIL PROTECTED]
___
Fedora-kernel-list mailing list
Fedora-kernel-list@redhat.com
-list
- James
--
James Morris
[EMAIL PROTECTED]
--
fedora-list mailing list
[EMAIL PROTECTED]
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-announce
16 matches
Mail list logo