Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > That sounds workable, although I think he will want a more specific hook > than security_secctx_to_secid(), or possibly a second hook call, that > would not only validate the context but authorize the use of it by the > cachefilesd process. And then the security_task_kernel_act_as() hook > just takes the secid as input rather than the task struct of the daemon, > and applies it. At that point, nfsd can use the same mechanism for > setting the acting SID based on the client process after doing its own > authorization. I thought using secids was verboten as it made things too specific. Have you example code for the security hook you mention? I'm not sure I understand why security_secctx_to_secid() is not sufficient. Or is it that I need something that takes a secctx, converts it to a secid and authorises its use all in one go? If it's this, why can't that be rolles into security_task_kernel_act_as()? That sets up a task_security struct which is then switched in and out without consultation of the LSM. David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
