| 1 |
Joshua Brindle posted <40E97B48.4060904@g.o>, excerpted below, on |
| 2 |
Mon, 05 Jul 2004 12:01:12 -0400: |
| 3 |
|
| 4 |
> Now then, about LSM.. Capabilities are still hard coded into the kernel |
| 5 |
> if you do _NOT_ use LSM (ie: selinux). That means every single Linux |
| 6 |
> kernel has capabilies enabled and available. Once LSM is enabled the |
| 7 |
> capabilities module takes over cap handling. This is why we recommend |
| 8 |
> (strongly!) that the capabilities module be enabled with selinux. |
| 9 |
|
| 10 |
I do not believe that's the case any longer. Capabilities are now an |
| 11 |
option in the mainline 2.6 kernels, I believe under |
| 12 |
Linux-security-modules (what you referred to with LSM?), but disable-able |
| 13 |
without enabling anything else.. They can be built-in, compiled as |
| 14 |
modules, or left out entirely. |
| 15 |
|
| 16 |
Here, I compile them/it as a module (and I don't compile SELinux, |
| 17 |
either.. I don't believe it's an option, at least for vanilla AMD64 |
| 18 |
kernels, yet), but have it set to auto-load, both in Mandrake and in |
| 19 |
Gentoo, because BIND does indeed need them as compiled by both |
| 20 |
distributions, and I do run it. |
| 21 |
|
| 22 |
-- |
| 23 |
Duncan - List replies preferred. No HTML msgs. |
| 24 |
"They that can give up essential liberty to obtain a little |
| 25 |
temporary safety, deserve neither liberty nor safety." -- |
| 26 |
Benjamin Franklin |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-dev@g.o mailing list |
Archives