On Sunday 11 November 2007 5:31:44 pm James Morris wrote:
> On Fri, 9 Nov 2007, Paul Moore wrote:
> > Add additional Flask definitions to support the new "peer" object class.
>
> Should this be dependent on dynamic class/permission support?
I think it's okay to _define_ the Flask definitions regar
On Sunday 11 November 2007 5:34:27 pm James Morris wrote:
> On Fri, 9 Nov 2007, Paul Moore wrote:
> > + /* Between selinux_compat_net and selinux_policycap_netpeer this is
> > +* starting to get a bit messy - we need to setup a timetable for
> > +* deprecating some of this old/obsolete fu
Rogelio M. Serrano Jr. <[EMAIL PROTECTED]> wrote:
> Dr. David Alan Gilbert wrote:
>> Allowing a user to tweak (under constraints) their settings might allow
>> them to do something like create two mozilla profiles which are isolated
>> from each other, so that the profile they use for general web
Dr. David Alan Gilbert wrote:
> * Crispin Cowan ([EMAIL PROTECTED]) wrote:
>
>> I mostly don't see this as a serious limitation, because almost everyone
>> has their own workstation, and thus has root on that workstation. There
>> are 2 major exceptions:
>>
>> * Schools, where the "workstati
Alan Cox wrote:
>> but how can the system know if the directory the user wants to add is
>> reasonable or not? what if the user says they want to store their
>> documents in /etc?
>>
> A more clear example is wanting to wrap a specific tool with temporary
> rules. Those rules would depend on
Casey Schaufler wrote:
--- Crispin Cowan <[EMAIL PROTECTED]> wrote:
Dr. David Alan Gilbert wrote:
...
Can you explain why you want a non-privileged user to be able to edit
policy? I would like to better understand the problem here.
Note that John Johansen is also interested in allowing non
[EMAIL PROTECTED] wrote:
> a question for Crispin,
> is there a wildcard replacement for username? so that you could
> grant permission to /home/$user/.mozilla.. and grant each user
> access to only their own stuff? I realize that in this particular
> example the underlying DAC will handle it
On Mon, Nov 12, 2007 at 03:50:59PM -0800, Crispin Cowan wrote:
> Dr. David Alan Gilbert wrote:
> > * Crispin Cowan ([EMAIL PROTECTED]) wrote:
> >
> >> I mostly don't see this as a serious limitation, because almost everyone
> >> has their own workstation, and thus has root on that workstation. T
--- Joshua Brindle <[EMAIL PROTECTED]> wrote:
> Casey Schaufler wrote:
> > --- Crispin Cowan <[EMAIL PROTECTED]> wrote:
> >
> >
> >> Dr. David Alan Gilbert wrote:
> >> ...
> >>
> >> Can you explain why you want a non-privileged user to be able to edit
> >> policy? I would like to better unders
On Thu, 08 Nov 2007 20:48:52 -0800 Casey Schaufler <[EMAIL PROTECTED]> wrote:
> Smack is the Simplified Mandatory Access Control Kernel.
This ran afoul of
http://userweb.kernel.org/~akpm/mmotm/broken-out/vfs-security-rework-inode_getsecurity-and-callers-to.patch
Until that patch gets merged we'l
> The
> system is "defended" in that the worst the attacker can do to corrupt
> the system is limited to the transitive closure of what the confined
> processes are allowed to access.
The damage the atacker can do would be defined by the authority not the
permissions the process has.
> A "complic
11 matches
Mail list logo
