Ilya Konstantinov wrote: > Just to set the facts straight, "capabilities" are not part of > SELinux. Ok. Sorry. Don't have any experience with either. > SELinux is a > different shot at this, one which's not derived from "capabilities", > so it should not be brought into this discussion. Doesn't SELinux have a direct ACL support on processes? That should allow approaching it directly. I.e. - instead of taking a root process and removing most stuff, taking a non-root process and adding this particular ability?
Like I said, I don't know SELinux all that well, so I don't know whether what I just said makes any sense. > You might be able to leave some chosen capability with a non-root > process by: > 1. Starting as a root process. > 2. Eliminating all but the needed capabilities with capset(2) (or > whatever higher-level function there is -- they're undocumented on my > system) > 3. Making the system keep capabilities upon seteuid by calling > prctl(2) with PR_SET_KEEPCAPS. > 4. seteuid(2) and exec(3) your Java thing. > > I didn't actually try it, but it makes sense from the docs. My way's funnier Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
