On Sat, 2008-01-05 at 14:58 +0100, Christoph Höger wrote: > Am Freitag, den 04.01.2008, 18:34 -0500 schrieb Eric Paris: > > On Fri, 2008-01-04 at 14:26 -0800, Clarkson, Mike R (US SSA) wrote: > > > Is there someplace I can go to find a description of the libselinux API? > > > > not sure, i just read the code :) the fedora libselinux-devel > > package provides man pages for most (maybe all?) of the interfaces. > > > > > > > > Is there a way to change the context of an existing process, without > > > having to execute a new process? > > > > yes, the permission is dyntransition in the process class. it is > > STRONGLY, let me say that again VERY STRONGLY, suggested that you don't > > make use of this facility. Basically you lose all seperation between > > those 2 domains. You don't have any assurance that the process before > > the transition didn't get hacked/corrupted/bugged and is now > > transitioning to a new domain but able to do the wrong things (or > > sometimes even worse not transition to the new domain at all) > > Hi, I don't think that it is that bad. Basically I think if you can > transition from dom_a to dom_b that still does not include transition > back to dom_a. So you can e.g. secure a new thread which handles a > client or something without using execve. dyntrans only works on single threaded processes. -Eric > > > > > I'm not sure what the rationale was to put it in originally but please > > just find a way to do it on an execve boundary. > > > > -Eric > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
