>>SELinux Mailing List: by thread

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

From: Vanuxem <gvanuxem_at_club-internet.fr>
subject: TR: Trans_domain and MLS (small error)
Date: Mon, 17 Dec 2001 14:32:07 +0100

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: TR: Trans_domain and MLS (small error)"
• Previous message: Stephen Smalley: "Re: two different domains from on program"
• Next in thread: Stephen Smalley: "Re: TR: Trans_domain and MLS (small error)"
• Reply: Stephen Smalley: "Re: TR: Trans_domain and MLS (small error)"

Hi

I have two questions :

• How can I 'Trans' to system role if the original is user

I explain :
I have the pppd domain that work under the user or sysadm role for example :

'greg:user_r:user_pppd_t'

I want allow to trans to the system role and system user: system_u:system_r:portsentry_t
If use the macro domain_auto_trans : domain_auto_trans ($1_pppd, portsentry_exec_t,portsentry_t)
The resulting context is greg:user_r:portsentry_t

Is it possible without using newrole??

• I want to know if you continue your work about MLS

Since if I want that a user login with a high level, he must write on a tty device that has a lower level.
I know that the MLS is just for experimentation but I have no see some change in the code and may be you
stop this developement actually...

Sorry for my poor english...

        Greg

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: TR: Trans_domain and MLS (small error)
Date: Mon, 17 Dec 2001 08:40:25 -0500 (EST)

• This message: [ Message body ]
• Next message: Hans Reiser: "Re: persistent labelling on afs, jfs, xfs?"
• Previous message: Vanuxem: "TR: Trans_domain and MLS (small error)"
• In reply to: Vanuxem: "TR: Trans_domain and MLS (small error)"

On Mon, 17 Dec 2001, Vanuxem wrote:

> I have the pppd domain that work under the user or sysadm role for example :
>
> 'greg:user_r:user_pppd_t'
>
> I want allow to trans to the system role and system user:
> system_u:system_r:portsentry_t
> If use the macro domain_auto_trans : domain_auto_trans ($1_pppd,
> portsentry_exec_t,portsentry_t)
> The resulting context is greg:user_r:portsentry_t
>
> Is it possible without using newrole??

See the run_init utility program and its domain. It transitions to the system_u:system_r:initrc_t domain and then runs the user-specified init script, which ensures that any daemons are started with the appropriate user identity, role, and domain (because domain transitions are already defined from initrc_t for the daemon processes). The run_init program, like newrole, reauthenticates the user to ensure that the user wants to perform the transition (to help protect against invocation by malicious code).

> - I want to know if you continue your work about MLS

We aren't actively developing the MLS code or policy at present. To date, we have focused on the RBAC and TE policy components, since these are viewed as being of greater interest to the Linux community. See the README.MLS file for a description of what needs to be done to make the MLS policy useable.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT