On Tue, 2004-11-02 at 16:33, Karl MacMillan wrote:
> On Tue, 2004-11-02 at 13:02 -0500, Stephen Smalley wrote:
> > The amount of trust placed in samba is the same, but the dynamic context
> > transition allows the kernel to handle the mediation directly and
> > atomically with respect to the file access. Otherwise, you have to
> > duplicate the checking in samba (which will still ultimately get the
> > decisions from the kernel via selinuxfs) and deal in some way with race
> > conditions. Keep in mind that we are talking about user-writable
> > directories that are being exported by samba.
> >
>
> This is using the dynamic context transitions as a practical
> _discretionary_ security measure then. That may have some benefit. I'm
> still concerned that the benefits don't outweigh the costs. We are,
> after all, talking about breaking some fundamental assumptions of the
> SELinux mechanism in a way that may give many people a false sense of
> security.

Discretionary? To samba, I suppose, but not to the client. We are still talking about the enforcement of a mandatory policy, whether the enforcement is provided by samba as a userspace object manager or by the kernel based on samba's dynamic transitions.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.