[rsbac] Missing CAPs are not logged

Andrea Pasquinucci cesare at ucci.it
Thu Jan 20 20:01:00 CET 2005


On Thu, Jan 20, 2005 at 09:27:37AM +0100, Amon Ott wrote:
* On each setuid and execute, the CAP module sets the given minimum caps 
* and removes those not in the maximum set. 

Let me see if I understand correctly, the minimum capabilities are added 
if the process does not have them (but usually caps_min is all 0) and 
the maximum capabilities not in the set are removed if the process have 
them (but usually caps_max is all 1), right ?

 
* In softmode, the CAP module only enforces the minimum

So it adds them even in softmode

* but not the maximum values 

so it does not remove them (correctly for softmode!), but my question is
if in softmode it logs or not that it (rsbac) should have removed the
capability and did not, does it? From what you say next it seems not,
can it be added in case?

Andrea


More information about the rsbac mailing list