On Mon, Nov 01, 2004 at 03:10:41PM -0500, James Morris wrote:
> On Mon, 1 Nov 2004, Darrel Goeddel wrote:
>
> > James,
> > I am hoping that this response will also address your question of
> > applicability outside of the MLS policy.
>
> > I have looked back on the threads involving smbd and famd and it does indeed
> > seem that dynamic transitions may help to bring those applications to a
> > "SELinux-aware" state.
>
> Is there any reason why smbd can't exec a simple helper application in the
> required context which only does what needs to be done?
 

 no there is no reason why [a helper application should] not [be used].  

 i am not sure if the simple solution [that andrew and russell  came up with] was fully enumerated: it involves exec'ing a  per-user helper application which does a setuid.  

 the helper application opens files as-and-when they are needed,  [and also does mkdirs? and rmdirs?] and then passes the file  descriptor over a unix-domain-socket to the smbd process,  which NEVER itself does file opens under a user context.

 i believe it then no longer becomes necessary for smbd to  call become_user().

 l.

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.