Re: [Cerb-list] cerber and setuid

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Pawel Jakub Dawidek <ni...@ga...>:

> MAC, as I said, is just API for kernel modules.
> There is no such MAC policy that will provide cerb functionality and
> there can't be such. You can't elevate privileges in MAC because
> there is no place to downgrade it after operation. You can't modify
> syscall argument, return values, etc.
>
> CerbNG is transparent for application. You don't need to rewrite
> application to use cerb functionality.

to me what this boils down to is that cerber is better for admins.
or, where would i prefer MAC?

  clemens