dynamic context transitions
Russell Coker
russell at coker.com.au
Mon Nov 8 14:42:16 GMT 2004
On Tuesday 02 November 2004 07:25, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> > the helper application opens files as-and-when they are needed,
> > [and also does mkdirs? and rmdirs?] and then passes the file
> > descriptor over a unix-domain-socket to the smbd process,
> > which NEVER itself does file opens under a user context.
> >
> > i believe it then no longer becomes necessary for smbd to
> > call become_user().
>
> Except that SELinux mediates access to file descriptors upon transfer
> via local socket IPC as well as attempted use for read/write, so SELinux
> is still going to apply a permission check to the parent smbd process in
> that situation. Not to mention that this no doubt has a significant
> cost.
The cost is only for open, creat, link, symlink, unlink, mkdir, and rmdir
operations, which usually aren't that performance critical. The few
applications for which such operations are performance critical (Maildir
format mail spool and old style INN news spool) are unlikely to be used over
SMB.
As for allowing operations, the parent must be permitted to receive file
handles from the child and to have read/write access to all files that the
child processes may open.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the samba-technical
mailing list