Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262153AbUDEMOf (ORCPT ); Mon, 5 Apr 2004 08:14:35 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262170AbUDEMOf (ORCPT ); Mon, 5 Apr 2004 08:14:35 -0400 Received: from [144.51.25.10] ([144.51.25.10]:20621 "EHLO epoch.ncsc.mil") by vger.kernel.org with ESMTP id S262153AbUDEMOd (ORCPT ); Mon, 5 Apr 2004 08:14:33 -0400 Subject: Re: disable-cap-mlock From: Stephen Smalley To: Andrew Morton Cc: Chris Wright , andrea@suse.de, lkml , kenneth.w.chen@intel.com In-Reply-To: <20040402133540.1dfa0256.akpm@osdl.org> References: <20040401135920.GF18585@dualathlon.random> <20040401170705.Y22989@build.pdx.osdl.net> <20040401173034.16e79fee.akpm@osdl.org> <20040402133540.1dfa0256.akpm@osdl.org> Content-Type: text/plain Organization: National Security Agency Message-Id: <1081167231.5343.13.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 (1.4.5-7) Date: Mon, 05 Apr 2004 08:13:51 -0400 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1328 Lines: 29 On Fri, 2004-04-02 at 16:35, Andrew Morton wrote: > Particularly as, apparently, the new security stuff STILL cannot solve the > extremely simple Oracle-wants-CAP_IPC_LOCK requirement. Actually, it can. With SELinux enabled, you run oracle as uid 0 in a TE domain that is allowed to use CAP_IPC_LOCK (e.g. allow oracle_t self:capability ipc_lock;) and no other capabilities, and you are done. Naturally, you would need to define a domain for oracle. uid 0 has no special significance to SELinux; it is only required to satisfy the secondary module you stack with SELinux, i.e. dummy or capabilities, and the ability to use capabilities is controlled by the TE policy. Or, if you want to drop the need to use uid 0 entirely, you unhook the secondary_ops from SELinux so that SELinux alone makes the capability decisions. But that will require finer tuning of the policy configuration. None of this is to argue against fixing the base capability logic, just to note that SELinux can control capability usage. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/