[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-integrity
Subject:    Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN
From:       Casey Schaufler <casey () schaufler-ca ! com>
Date:       2021-11-30 17:50:14
Message-ID: ad6a83da-f99f-a27f-6a22-712e530cfa2a () schaufler-ca ! com
[Download RAW message or body]

On 11/30/2021 9:41 AM, Stefan Berger wrote:
> 
> On 11/30/21 12:27, Casey Schaufler wrote:
> > On 11/30/2021 8:06 AM, Stefan Berger wrote:
> > > From: Denis Semakin <denis.semakin@huawei.com>
> > > 
> > > This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
> > > to setup IMA (Integrity Measurement Architecture) policies per container
> > > for non-root users.
> > 
> > Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
> > is system security administration. It seems to fit your needs.
> > I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
> > it would be completely appropriate.
> 
> Fine by me. I suppose we could be reusing it later on also for setting file \
> extended attributes for IMA?

Yes. That would be completely consistent with the intention and the
Smack implementation.

> 
> Stefan
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]