On Thu, Apr 12, 2012 at 9:34 PM, James Morris <jmorris@xxxxxxxxx> wrote: > On Thu, 12 Apr 2012, Andrew Lutomirski wrote: > >> > What about dynamic transitions in SELinux ? >> > >> >> What's a dynamic transition? > > The security label can be changed without an exec: > > See selinux_setprocattr(), for "current". Ah. I see nothing wrong with that, for the same reason I see nothing wrong with setuid (the system call) after PR_SET_NO_NEW_PRIVS. The privileges granted by writing to /proc/self/attr/current were already available in the sense that you could have written to current whenever you wanted to. (FWIW, I think that selinux should have made that the only way to change contexts, full stop. And I think that the setuid and setgid bits were mistakes. Water under the bridge...) --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
