SELinux Testing Software/Scripts
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sun Oct 17 14:04:20 UTC 2004
On Sun, Oct 17, 2004 at 03:01:54AM +0200, Erich Schubert wrote:
> Hi,
>
> > as i understand it, there is no "escalation" present in SE/Linux,
> > only that assigned in the minds of us humans.
> [...]
> > that's a bit different from "escalating privilege" because that implies
> > hierarchy, which SE/Linux doesn't have, per-se.
>
> As long as you have roles with certain higher privileges (for example
> writing to configuration files, binding to arbitrary ports, loading a
> new policy...) there is privilege escalation.
> Privilege escalation just means getting more rights than you were
> supposed to get.
ohright, okay: then my statement is incorrect and it is more that
policy writers need to get their policies right, by not allowing more
than is needed!
> You usually don't care about losing access rights,
> because you could have done things there earlier. Its only about getting
> a privilege you want to have.
my point is that selinux allows that [to go from one domain to the
next, losing all previous rights of the prior domain and gaining those
of the next domain].
which is not a "normal" security system so to speak: i'd consider
"normal" to be that you get given more privileges by going to a
"higher" privileged state [but i'm not saying "normal" is "good"].
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl at lkcl.net"> lkcl at lkcl.net </a> <br />
More information about the fedora-selinux-list
mailing list