[PATCH RFC] Define CAP_SYSLOG

Serge E. Hallyn serue at us.ibm.com
Fri Mar 12 07:02:47 PST 2010


Thanks, guys - I also need to update the selinux classmap in both
kernel and policy.  Hoping to get around to that this afternoon,
but not sure.

-serge

Quoting Andrew G. Morgan (morgan at kernel.org):
> Acked-by: Andrew G. Morgan <morgan at kernel.org>
> 
> I concur with Kees.
> 
> Cheers
> 
> Andrew
> 
> On Mon, Mar 8, 2010 at 10:58 AM, Kees Cook <kees at ubuntu.com> wrote:
> > Hi Serge,
> >
> > On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote:
> >> Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
> >> this off into a new CAP_SYSLOG privilege which we can sanely take away
> >> from a container through the capability bounding set.
> >
> > Seems like a good idea, but it'll require code changes in libcap2,
> > libcap-ng, as well as manpages.
> >
> > I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN,
> > but this is a nice distinct subsystem to do now.
> >
> > Acked-By: Kees Cook <kees.cook at canonical.com>
> >
> > --
> > Kees Cook
> > Ubuntu Security Team
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo at vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >


More information about the Containers mailing list