Re: sshd transition points

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Tue, 2005-02-15 at 15:03, Luke Kenneth Casson Leighton wrote:
>  leaving the restructuring issue aside for one moment, in order to
>  minimise the amount of work involved, would it be reasonable to
>  track the privilege-separated sshd (which is supposed to run in
>  an unused user account) with an intermediate security context, using
>  a dynamic context transition, if necessary, to get to it?

Note that there are several processes involved (based on the diagram):
- the listening sshd
- the parent monitor process
- the unprivileged child for network processing
- the user privileged child for user request processing

Further, note the relationships among these processes (again, based on
the diagram):
- listening sshd forks parent monitor
- parent monitor forks the unprivileged child
- unprivileged child exports state back to the parent monitor and dies
- parent monitor forks and exec's the user privileged child

Hence, dynamic context transitions to two different domains would be
suitable for the parent monitor (e.g. sshd_monitor_t) and for the
unprivileged child (e.g. sshd_unpriv_t).  The user privileged child will
already run in its own domain (user_t or staff_t) due to the existing
logic for setting the user security context upon the execve.
 
-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.