Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: dynamic context transitions
From: Stephen Smalley <sds_at_epoch.ncsc.mil>
Date: Tue, 02 Nov 2004 13:02:44 -0500
I agree that the trust boundary has to be at the process boundary. What I was saying is that merely re-factoring your application code into multiple helpers doesn't necessarily establish a real barrier to arbitrary mis-use of the helpers by the calling application. You have to think carefully about the interface between them. Of course, if they aren't separate processes, then that interface is obviously arbitrarily wide and uncontrolled, as you say.
> I don't think The amount of trust placed in samba is the same, but the dynamic context transition allows the kernel to handle the mediation directly and atomically with respect to the file access. Otherwise, you have to duplicate the checking in samba (which will still ultimately get the decisions from the kernel via selinuxfs) and deal in some way with race conditions. Keep in mind that we are talking about user-writable directories that are being exported by samba. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 2 Nov 2004 - 13:06:28 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |