On Mon, 2008-01-07 at 09:43 +1100, James Morris wrote: > On Fri, 4 Jan 2008, Eric Paris wrote: > > > yes, the permission is dyntransition in the process class. it is > > STRONGLY, let me say that again VERY STRONGLY, suggested that you don't > > make use of this facility. Basically you lose all seperation between > > those 2 domains. You don't have any assurance that the process before > > the transition didn't get hacked/corrupted/bugged and is now > > transitioning to a new domain but able to do the wrong things (or > > sometimes even worse not transition to the new domain at all) > > > > I'm not sure what the rationale was to put it in originally but please > > just find a way to do it on an execve boundary. > > Dynamic transitions were added for privileged MLS applications, which > sometimes need to implement privilege bracketing (i.e. changing security > level for some operation). It should be thought of as a legacy MLS > feature and not otherwise used. It has also been suggested as a way of dealing with php scripts (switching contexts when interpreting them), and as a way of handling samba (switching to a context derived from the client so that filesystem accesses are confined based on the client, although to do that properly, you need derived domains or a fscontext ala fsuid). It is weaker than the exec-based transitions, but can have practical benefits. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
