On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote: > Clarkson, Mike R (US SSA) wrote: > > What are the differences between and advantages/disadvantages of the > > following two commands: > > > > runcon -l s1 <cmd> > > newrole -l s1 --c <cmd> > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Of the top of my head > > newrole will change the terminal to the level you want to output. So if > the app read/writes to the terminal it will work. > > runcon will not so terminal apps will fail. Writing SystemHigh to a > SystemLow terminal should not work. Further, newrole runs in its own domain and allows for transitions from less privileged contexts to more privileged contexts, while runcon runs in the caller's domain and requires the caller to already be sufficiently privileged to directly make the transition. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
