dynamic context transitions

Stephen Smalley sds at epoch.ncsc.mil
Mon Nov 1 20:50:33 GMT 2004

On Mon, 2004-11-01 at 16:00, Luke Kenneth Casson Leighton wrote:
> > Except that SELinux mediates access to file descriptors upon transfer
> > via local socket IPC as well as attempted use for read/write, so SELinux
> > is still going to apply a permission check to the parent smbd process in
> > that situation.  
>  that i would expect.

So you are ok with allowing smbd_t the union of all smbd_$1_t

> > Not to mention that this no doubt has a significant
> > cost.
>  that i was not expecting.

Not the cost of the mediation, the cost of fork+exec'ing these children
for each client.  Isn't that likely to add significant overhead?

Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the samba-technical mailing list