If we move the CAP_SYS_ADMIN checks from the trusted xattr handlers to
the corresponding hook functions in the capabilities module, then we can
replace those checks with our own permission checking for user process
access to trusted.selinux and avoid any restrictions when the SELinux
module internally performs getxattr and setxattr inode operations to
manage the security labels. This isn't difficult to implement, but
implies a change in meaning for the trusted namespace. As I understand
it, that namespace is intended for attributes that can be managed by
superuser processes. Using that namespace for SELinux means that it
will also be used for attributes managed and used internally by the
security module for access control purposes. I'm not sure that you want
to mix them; it would be similar to putting ACLs in the trusted
namespace.
-- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/