Thanks for the response. Based on your comments, am I correct in thinking that it is better to provide trusted selinux aware domains access to runcon rather than newrole, since runcon will restrict those domains to do only what the selinux policy allows? > -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: Monday, May 21, 2007 12:02 PM > To: Daniel J Walsh > Cc: Clarkson, Mike R (US SSA); fedora-selinux-list@xxxxxxxxxx > Subject: Re: runcon vs newrole > > On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote: > > Clarkson, Mike R (US SSA) wrote: > > > What are the differences between and advantages/disadvantages of the > > > following two commands: > > > > > > runcon -l s1 <cmd> > > > newrole -l s1 --c <cmd> > > > > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Of the top of my head > > > > newrole will change the terminal to the level you want to output. So if > > the app read/writes to the terminal it will work. > > > > runcon will not so terminal apps will fail. Writing SystemHigh to a > > SystemLow terminal should not work. > > Further, newrole runs in its own domain and allows for transitions from > less privileged contexts to more privileged contexts, while runcon runs > in the caller's domain and requires the caller to already be > sufficiently privileged to directly make the transition. > > -- > Stephen Smalley > National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
