On Mon, 2004-11-01 at 10:23 -0600, Darrel Goeddel wrote:
> James,
> I am hoping that this response will also address your question of
> applicability outside of the MLS policy.
>
> Luke Kenneth Casson Leighton wrote:
> > this proposal is a little bit like seteuid-for-selinux, only not
> > really, because seteuid has the ability to switch to any uid and then
> > to any uid after that, ad infinitum.
> >
>
> That is correct. We are looking at a well-defined (via the policy) set of
> available type transitions. Note that you can also specify a one-way dynamic
> transition as well (type1_t can dynamically transition to type2_t, but type2_t
> has no dynamic transitions available). This will allow a daemon process to
> initialize itself with one set of access rights (bind ports, read conf files,
> etc.), and then lock itself into a domain with less access rights for the
> duration of its execution.

I can see some specialized uses for this with e.g. the Samba example, but I'm having trouble seeing how it would be broadly useful, although I haven't thought about the MLS case much. But in your examples above, the policy can already restrict which ports a domain can bind; it doesn't seem useful to drop the privileges to bind to those ports. Also, why would it be useful to drop the privileges to read configuration files?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.