RFE: Add finer-grained LSM/SELinux controls for CAP_SYS_ADMIN functionality

Question

RFE: Add finer-grained LSM/SELinux controls for CAP_SYS_ADMIN functionality

stephensmalley opened this issue 8 years ago · 2 comments

As discussed on the mailing list, split up CAP_SYS_ADMIN by introducing new finer-grained LSM hooks and SELinux permission checks for logical groupings of the operations currently controlled by CAP_SYS_ADMIN.

Answer 1 · 2017-01-01T15:59:18.000Z

While on it, are there plans to split up NET_ADMIN likewise, especially to counter the NET_ADMIN requests the setsockopt call is making?

Answer 2 · 2017-01-02T22:25:34.000Z

@cgzones I'm not aware of any plans regarding NET_ADMIN, but that can always change.