Closed cgzones closed 11 months ago
@cgzones Any chance you can publish an update to this based on Daniel's feedbacj above, or would you prefer us to pick it up?
reviewed-by: Joshua Brindle brindle@gmail.com
@jbrindle In the future, would you be able to wait longer before a merge? I would think that typically someone who has reviewed an earlier version may want to review a later version as well, but with just 3 hours after the update, I hadn't gotten to it yet. (It's also the workflow described in https://github.com/SELinuxProject/selinux-notebook/blob/main/MAINTAINER_PROCESS.md to wait for two maintainer acks unless "a reasonable period of time (for example a delay of over two weeks)" has passed)
In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode.
Document this fact and list (hopefully) all occurrences in kernel v6.4.
Inspired by https://patchwork.kernel.org/project/selinux/patch/20230718115607.65652-1-omosnace@redhat.com/ /cc @WOnder93