Re: dynamic context transitions

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Tue, 2005-02-15 at 16:34, Luke Kenneth Casson Leighton wrote:
> i assume it _is_ necessary to perform dynamic auto transitions?
> 
> such that i can track to alternative contexts, yes?

No.  Dynamic transitions are always explicitly requested by
applications, just like setuid(2) calls.  Since you must modify the
application anyway to introduce the dynamic context transition (unlike
an automatic transition upon an existing execve call), there is no such
thing as an automatic dynamic transition.  Now, the issue of how to get
the right new domain is another matter.  For user contexts, we want
something akin to get_default_context().  But in this case, you are
again dealing with two fixed domains that are not associated with a
user, IIUC, so you might as well just create new appconfig files (under
policy/appconfig) that are installed to
/etc/selinux/$SELINUXTYPE/contexts and read by sshd upon startup to
obtain the desired context for the monitor and unprivileged child.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.