two questions
Eric Paris
eparis at redhat.com
Fri Jan 4 23:34:06 UTC 2008
On Fri, 2008-01-04 at 14:26 -0800, Clarkson, Mike R (US SSA) wrote:
> Is there someplace I can go to find a description of the libselinux API?
not sure, i just read the code :) the fedora libselinux-devel
package provides man pages for most (maybe all?) of the interfaces.
>
> Is there a way to change the context of an existing process, without
> having to execute a new process?
yes, the permission is dyntransition in the process class. it is
STRONGLY, let me say that again VERY STRONGLY, suggested that you don't
make use of this facility. Basically you lose all seperation between
those 2 domains. You don't have any assurance that the process before
the transition didn't get hacked/corrupted/bugged and is now
transitioning to a new domain but able to do the wrong things (or
sometimes even worse not transition to the new domain at all)
I'm not sure what the rationale was to put it in originally but please
just find a way to do it on an execve boundary.
-Eric
More information about the fedora-selinux-list
mailing list