dynamic context transitions
Stephen Smalley
sds at epoch.ncsc.mil
Mon Nov 1 20:50:33 GMT 2004
On Mon, 2004-11-01 at 16:00, Luke Kenneth Casson Leighton wrote:
> > Except that SELinux mediates access to file descriptors upon transfer
> > via local socket IPC as well as attempted use for read/write, so SELinux
> > is still going to apply a permission check to the parent smbd process in
> > that situation.
>
> that i would expect.
So you are ok with allowing smbd_t the union of all smbd_$1_t
permissions?
> > Not to mention that this no doubt has a significant
> > cost.
>
> that i was not expecting.
Not the cost of the mediation, the cost of fork+exec'ing these children
for each client. Isn't that likely to add significant overhead?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the samba-technical
mailing list