two questions
James Morris
jmorris at namei.org
Sun Jan 6 22:43:26 UTC 2008
On Fri, 4 Jan 2008, Eric Paris wrote:
> yes, the permission is dyntransition in the process class. it is
> STRONGLY, let me say that again VERY STRONGLY, suggested that you don't
> make use of this facility. Basically you lose all seperation between
> those 2 domains. You don't have any assurance that the process before
> the transition didn't get hacked/corrupted/bugged and is now
> transitioning to a new domain but able to do the wrong things (or
> sometimes even worse not transition to the new domain at all)
>
> I'm not sure what the rationale was to put it in originally but please
> just find a way to do it on an execve boundary.
Dynamic transitions were added for privileged MLS applications, which
sometimes need to implement privilege bracketing (i.e. changing security
level for some operation). It should be thought of as a legacy MLS
feature and not otherwise used.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-selinux-list
mailing list