Re: Domain transition

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tom <tom@lemuria.org>
To: Richard Mayo <rmayo@caci.com>
Cc: SELinux@tycho.nsa.gov
Subject: Re: Domain transition
Date: Mon, 16 Dec 2002 21:46:15 +0100	[thread overview]
Message-ID: <20021216214614.A32716@lemuria.org> (raw)
In-Reply-To: <OF0E5EECFE.7EB8F6E6-ON85256C91.006E1E8E@caci.com>; from rmayo@caci.com on Mon, Dec 16, 2002 at 03:09:59PM -0500

On Mon, Dec 16, 2002 at 03:09:59PM -0500, Richard Mayo wrote:
> 1)    What is "domain transition"?  I've configured my system such that it
> doesn't happen, but I'm wondering if it's the best way to go.

It's not. Domain transitions are necessary. It's something like the
SELinux equivalent of setuid. For example, when init starts apache, you
definitely do want the initrc domain to change into the apache domain.

> 2)    Is there a text file on my system with the list of user roles or is
> that information stored some other way?

look into /etc/security. it has changed around a little recently, but
there should be something like default_* in there with the information
you are looking for.

> 3)    Can I configure the operating system NOT to ask for a user role on
> login?  I would much prefer to have user role determined BY the login.

I'm sure it's possibly to skip the check, e.g. if the user is only
allowed to be in a single domain anyway. But I believe you would need
to patch the login code for this.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2002-12-16 20:46 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-16 20:09 Domain transition Richard Mayo
2002-12-16 20:46 ` Tom [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-12-16 21:25 Stephen D. Smalley
2002-12-16 22:07 ` Russell Coker
2002-12-16 23:11   ` Brian May
2002-12-17  9:19     ` Russell Coker
2002-12-17 11:42       ` Brian May
2002-12-17 13:31         ` Russell Coker
2002-12-17 22:16           ` Brian May
2002-12-17 12:52 Justin Smith
2002-12-17 15:32 ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20021216214614.A32716@lemuria.org \
    --to=tom@lemuria.org \
    --cc=SELinux@tycho.nsa.gov \
    --cc=rmayo@caci.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.