On Sun, Oct 17, 2004 at 03:01:54AM +0200, Erich Schubert wrote: > Hi, > > > as i understand it, there is no "escalation" present in SE/Linux, > > only that assigned in the minds of us humans. > [...] > > that's a bit different from "escalating privilege" because that implies > > hierarchy, which SE/Linux doesn't have, per-se. > > As long as you have roles with certain higher privileges (for example > writing to configuration files, binding to arbitrary ports, loading a > new policy...) there is privilege escalation. > Privilege escalation just means getting more rights than you were > supposed to get. ohright, okay: then my statement is incorrect and it is more that policy writers need to get their policies right, by not allowing more than is needed! > You usually don't care about losing access rights, > because you could have done things there earlier. Its only about getting > a privilege you want to have. my point is that selinux allows that [to go from one domain to the next, losing all previous rights of the prior domain and gaining those of the next domain]. which is not a "normal" security system so to speak: i'd consider "normal" to be that you get given more privileges by going to a "higher" privileged state [but i'm not saying "normal" is "good"]. l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- <a href="http://lkcl.net";> lkcl.net </a> <br /> <a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />
