Stephen Smalley wrote:
On Mon, 2008-09-01 at 17:03 +1000, Murray McAllister wrote:
A process in one domain transitions to another domain by executing a new
program with the entrypoint type for the new domain.
How about:
A subject in one domain transitions to another domain by executing an
object that is labeled with a file type that has entrypoint permission
for the new domain. The entrypoint permission is used in SELinux policy,
and controls which domains an object can enter. The following example...
Not exactly:
1) A new domain has entrypoint permission to the file type, not the
other way around.
2) The entrypoint permission controls which programs can be used to
enter a domain, not the other way around.
How about (from your original suggestion):
A subject in one domain transitions to another domain by executing an
object that has the entrypoint file type for the new domain. The
entrypoint permission is used in SELinux policy, and controls which
objects can be used to enter a domain.
I added the following to the list of steps:
An SELinux policy rule states that the passwd_t domain type has
entrypoint permission to the passwd_exec_t file type.
Thanks.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
