Re: sshd transition points

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Tue, 2005-02-15 at 15:57, Luke Kenneth Casson Leighton wrote:
>  and, sorry for asking a second question in this fashion, but
>  if so, how would i derive the context which to dynamically
>  transition to?
> 
>  i couldn't use get_default_context() ... or could i?
> 
>  it'd involve calling the new lovely setcon(), i know that.

At present, you can't use get_default_context() because it only returns
contexts for which 'transition' permission has been allowed, not
'dyntransition'.  Whether or not we should change the internal logic
(which ultimately goes down to the kernel's /selinux/user interface) to
also return contexts for dynamic transitions or instead introduce a
separate interface for this purpose is not clear.

Further, get_default_context() is only suitable when getting a default
context for a user session.  In this case, you want domains for the
monitor process and the unprivileged child process, neither of which are
associated with a user.  Hence, I'd just pull them out of a config file.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.