[rsbac] Missing CAPs are not logged
Andrea Pasquinucci
cesare at ucci.it
Thu Jan 20 20:01:00 CET 2005
On Thu, Jan 20, 2005 at 09:27:37AM +0100, Amon Ott wrote:
* On each setuid and execute, the CAP module sets the given minimum caps
* and removes those not in the maximum set.
Let me see if I understand correctly, the minimum capabilities are added
if the process does not have them (but usually caps_min is all 0) and
the maximum capabilities not in the set are removed if the process have
them (but usually caps_max is all 1), right ?
* In softmode, the CAP module only enforces the minimum
So it adds them even in softmode
* but not the maximum values
so it does not remove them (correctly for softmode!), but my question is
if in softmode it logs or not that it (rsbac) should have removed the
capability and did not, does it? From what you say next it seems not,
can it be added in case?
Andrea
More information about the rsbac
mailing list