dynamic context transitions
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Mon Nov 1 18:45:38 GMT 2004
On Mon, Nov 01, 2004 at 10:23:10AM -0600, Darrel Goeddel wrote:
> I am hoping that this response will also address your question of
> applicability outside of the MLS policy.
> Luke Kenneth Casson Leighton wrote:
> > this proposal is a little bit like seteuid-for-selinux, only not
> > really, because seteuid has the ability to switch to any uid and then
> > to any uid after that, ad infinitum.
> That is correct.
> We are looking at a well-defined (via the policy) set of
> available type transitions. Note that you can also specify a one-way
> dynamic transition as well (type1_t can dynamically transition to type2_t,
> but type2_t has no dynamic transitions available). This will allow a
> daemon process to initialize itself with one set of access rights (bind
> ports, read conf files, etc.), and then lock itself into a domain with less
> access rights for the duration of its execution.
in smbd's case, however, that would be detrimental: the flexibility of
being able to transition back again [to type2_t] is actually a
it might even be convenient to go through a "third" type:
type1_t: access to samba configuration files [only!] seteuid: 0
type2_t: access to user files [only!] seteuid: NNNN
type3_t: access to pretty much nothing (except that needed for cleanup
the loop is type1_t, call become_user() -> goes to type2_t
then call unbecome_user() -> transitions to type3_t and does cleanup
(e.g. frees any alloc'd memory associated with user - if necessary)
and then transitions to type1_t, ready for the next incoming SMB
More information about the samba-technical