[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: transition policy/logic for shell-, perl- and python-scripts
From:       Stefan Schulze Frielinghaus <stefan () seekline ! net>
Date:       2008-12-27 19:04:37
Message-ID: 1230404677.2932.19.camel () localhost ! localdomain
[Download RAW message or body]

On Sat, 2008-12-27 at 12:01 +0100, domg472 g472 wrote:
> A (executable) file is an "entrypoint" for domain transition.
> 
> source domain -> executable files type -> target domain
> 
> but domain transition is not default behaviour. Remember SELinux is
> least privilege
> 
> 1. deny access ( default )
> 2. run the executable file in the source domain (can_exec(source
> domain, executable files type)
> 3. Transition from a source domain to a target domain though a
> executable files type ( domain_auto_trans(source domain, executable
> files type, target domain)
> 
> the unconfined domain is designed to NOT transition. unconfined_t is
> not targeted, in other words it is (for the most part) exempted from
> SELinux.

How do you check if an entrypoint exists? Via security_check_context()?
I couldn't find any other function which could do the job. Or in general
how would you do it programmatically? What set of functions do you
recommend?

cheers,
Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]