On Tue, 2007-05-22 at 13:26 -0700, Clarkson, Mike R (US SSA) wrote: > Thanks for the response. > > Based on your comments, am I correct in thinking that it is better to > provide trusted selinux aware domains access to runcon rather than > newrole, since runcon will restrict those domains to do only what the > selinux policy allows? That doesn't sound right. runcon itself doesn't restrict anything; it is just a utility that runs in the domain of the caller and has no more (or less) permissions than its caller. Even the ability to execute the runcon code is uninteresting. The operating system is what controls the ability to transition. Use runcon only when the caller is already trusted (and trustworthy) to directly effect the transition and when the caller will take whatever actions are necessary to properly set up the environment for the new context. Use newrole when you want some enforced separation between the caller and the new context and you want the newrole program to handle setting up the environment for the new context (e.g. polyinstantiated directories). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
