On Mon, 29 Jan 2007, Stephen Smalley wrote: > NAK. Mapping all sysctls to a single security label prevents any kind > of fine-grained security on sysctls, and current policies already make > use of the current distinctions to limit access to particular sets of > sysctls to particular processes. As is, I'd expect breakage of current > systems running SELinux from this patch, because (confined) processes > that formerly only required access to specific sysctl labels will > suddenly run into denials on the generic fallback label.
Agreed, 100% NACK. Please don't just simply remove long-researched & analyzed MAC security which has been in the kernel for years, which is being used in the field for high assurance systems, because you neglected to consider it during a code cleanup. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
