dynamic context transitions

Luke Kenneth Casson Leighton lkcl at lkcl.net
Mon Nov 1 18:45:38 GMT 2004

On Mon, Nov 01, 2004 at 10:23:10AM -0600, Darrel Goeddel wrote:
> James,
>     I am hoping that this response will also address your question of 
> applicability outside of the MLS policy.
> Luke Kenneth Casson Leighton wrote:
> > this proposal is a little bit like seteuid-for-selinux, only not
> > really, because seteuid has the ability to switch to any uid and then
> > to any uid after that, ad infinitum.
> >
> That is correct.  


> We are looking at a well-defined (via the policy) set of 
> available type transitions.  Note that you can also specify a one-way 
> dynamic transition as well (type1_t can dynamically transition to type2_t, 
> but type2_t has no dynamic transitions available).  This will allow a 
> daemon process to initialize itself with one set of access rights (bind 
> ports, read conf files, etc.), and then lock itself into a domain with less 
> access rights for the duration of its execution.  

 i understand.

 in smbd's case, however, that would be detrimental: the flexibility of
 being able to transition back again [to type2_t] is actually a

 it might even be convenient to go through a "third" type:

 type1_t: access to samba configuration files [only!] seteuid: 0
 type2_t: access to user files [only!] seteuid: NNNN
 type3_t: access to pretty much nothing (except that needed for cleanup

 the loop is type1_t, call become_user() -> goes to type2_t
 then call unbecome_user() -> transitions to type3_t and does cleanup
 (e.g. frees any alloc'd memory associated with user - if necessary)
 and then transitions to type1_t, ready for the next incoming SMB


More information about the samba-technical mailing list