dynamic context transitions

Luke Kenneth Casson Leighton lkcl at lkcl.net
Mon Nov 1 20:35:24 GMT 2004

On Mon, Nov 01, 2004 at 03:10:41PM -0500, James Morris wrote:
> On Mon, 1 Nov 2004, Darrel Goeddel wrote:
> > James,
> >      I am hoping that this response will also address your question of 
> > applicability outside of the MLS policy.
> > I have looked back on the threads involving smbd and famd and it does indeed 
> > seem that dynamic transitions may help to bring those applications to a 
> > "SELinux-aware" state.
> Is there any reason why smbd can't exec a simple helper application in the 
> required context which only does what needs to be done?
 no there is no reason why [a helper application should] not [be used].
 i am not sure if the simple solution [that andrew and russell
 came up with] was fully enumerated: it involves exec'ing a
 per-user helper application which does a setuid.
 the helper application opens files as-and-when they are needed,
 [and also does mkdirs? and rmdirs?] and then passes the file
 descriptor over a unix-domain-socket to the smbd process,
 which NEVER itself does file opens under a user context.

 i believe it then no longer becomes necessary for smbd to
 call become_user().


you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.

More information about the samba-technical mailing list