runcon vs newrole
Stephen Smalley
sds at tycho.nsa.gov
Tue May 29 17:38:36 UTC 2007
On Tue, 2007-05-22 at 13:26 -0700, Clarkson, Mike R (US SSA) wrote:
> Thanks for the response.
>
> Based on your comments, am I correct in thinking that it is better to
> provide trusted selinux aware domains access to runcon rather than
> newrole, since runcon will restrict those domains to do only what the
> selinux policy allows?
That doesn't sound right. runcon itself doesn't restrict anything; it
is just a utility that runs in the domain of the caller and has no more
(or less) permissions than its caller. Even the ability to execute the
runcon code is uninteresting. The operating system is what controls the
ability to transition.
Use runcon only when the caller is already trusted (and trustworthy) to
directly effect the transition and when the caller will take whatever
actions are necessary to properly set up the environment for the new
context. Use newrole when you want some enforced separation between the
caller and the new context and you want the newrole program to handle
setting up the environment for the new context (e.g. polyinstantiated
directories).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list