two questions

[Stephen Smalley]

On Mon, 2008-01-07 at 09:43 +1100, James Morris wrote:
> On Fri, 4 Jan 2008, Eric Paris wrote:
> 
> > yes, the permission is dyntransition in the process class.  it is
> > STRONGLY, let me say that again VERY STRONGLY, suggested that you don't
> > make use of this facility.  Basically you lose all seperation between
> > those 2 domains.  You don't have any assurance that the process before
> > the transition didn't get hacked/corrupted/bugged and is now
> > transitioning to a new domain but able to do the wrong things (or
> > sometimes even worse not transition to the new domain at all)
> > 
> > I'm not sure what the rationale was to put it in originally but please
> > just find a way to do it on an execve boundary.
> 
> Dynamic transitions were added for privileged MLS applications, which 
> sometimes need to implement privilege bracketing (i.e. changing security 
> level for some operation).  It should be thought of as a legacy MLS 
> feature and not otherwise used.

It has also been suggested as a way of dealing with php scripts
(switching contexts when interpreting them), and as a way of handling
samba (switching to a context derived from the client so that filesystem
accesses are confined based on the client, although to do that properly,
you need derived domains or a fscontext ala fsuid).

It is weaker than the exec-based transitions, but can have practical
benefits.

-- 
Stephen Smalley
National Security Agency