Hi all,
I dont know if this makes any sense but can any one tell me if
we can set up a policy where a user_r has more previleges than the
staff_r (not the sys admin). thanx in advance..
Ram
On Wed, 13 Oct 2004 13:59:02 -0400, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote:
> On Wed, 2004-10-13 at 11:20, Steve Coleman wrote:
> > This does bring to mind a burning question I have always had reguarding
> > some applications such as Java where the binary itself is too open ended
> > and where as the compiled class files, script file, or data dictate what
> > the runtime will do. I assume that many desktop environments (take your
> > pick) will have some form of builtin scripting support. How does SELinux
> > deal with these VM's? Is there any good docs online that discuss the
> > problems and current solutions that these present? Do they get their
> > security context from the script or data streams?
>
> >From the program/script. Transitions can occur on scripts (if they are
> exec'd), but the caller domain needs to be trusted with respect to the
> new domain (e.g. shedding permissions) in that case due to the lack of
> safety in script execution.
>
> Note that SELinux provides the necessary API to support userland policy
> enforcers, so a userspace VMM can be modified to use that API to obtain
> policy decisions to be applied to its internal abstractions which are
> not directly visible to the OS itself. dbus and X (but unfortunately
> not the X in Fedora yet) have been modified to use that API to enforce
> policy over their abstractions. This allows for layered security, with
> the OS providing process-level confinement and the higher level object
> managers refining that control.
>
> --
> Stephen Smalley <sds@xxxxxxxxxxxxxx>
> National Security Agency
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
