dynamic context transitions

Russell Coker russell at coker.com.au
Mon Nov 8 14:42:16 GMT 2004


On Tuesday 02 November 2004 07:25, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> >  the helper application opens files as-and-when they are needed,
> >  [and also does mkdirs? and rmdirs?] and then passes the file
> >  descriptor over a unix-domain-socket to the smbd process,
> >  which NEVER itself does file opens under a user context.
> >
> >  i believe it then no longer becomes necessary for smbd to
> >  call become_user().
>
> Except that SELinux mediates access to file descriptors upon transfer
> via local socket IPC as well as attempted use for read/write, so SELinux
> is still going to apply a permission check to the parent smbd process in
> that situation.  Not to mention that this no doubt has a significant
> cost.

The cost is only for open, creat, link, symlink, unlink, mkdir, and rmdir 
operations, which usually aren't that performance critical.  The few 
applications for which such operations are performance critical (Maildir 
format mail spool and old style INN news spool) are unlikely to be used over 
SMB.

As for allowing operations, the parent must be permitted to receive file 
handles from the child and to have read/write access to all files that the 
child processes may open.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


More information about the samba-technical mailing list