From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: tridge@samba.org
Cc: Volker.Lendecke@sernet.de,
Samba-Technical <samba-technical@samba.org>,
SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: se-samba
Date: Wed, 2 Jun 2004 12:45:23 +0000 [thread overview]
Message-ID: <20040602124523.GA3708@lkcl.net> (raw)
In-Reply-To: <16573.1058.707078.949935@samba.org>
just wanted to correct some things and also to apologise for having a
bad memory.
now that i recall that it is the SMBsessionandX that needs to be
de-multiplexed (not the SMBtconX unless, like as tridge says,
the SMBsesssetupX is skipped as with share-level security) i should
make this clear.
however, my faulty memory, has, i believe, no impact on the
solution: the solution remains the same (albeit slower than
it could be, and clumsy).
under which circumstances, yes, tridge is right: 1) the TconX
behaviour is irrelevant (for seteuid()) and 2) the present
samba(4) SMB client NT-VFS plugin's behaviour is less than ideal
(in that it creates new tcp connections for every single TconX
as _well_).
... but it will work, and provide the required security semantics.
in the back-end se-samba(3) all that should be required is to run
pam_selinux.so. and the front-end se-samba(4) just use the new
proxy plugin.
at a later date, improvements in the SMB NT-VFS proxy plugin can
be made (see cliffs or samba tng libsmb code for example, somewhere,
i promise!, of modified libsmb which can do multiple tconXes over
a single TCP connection).
l.
On Wed, Jun 02, 2004 at 08:33:06AM +1000, tridge@samba.org wrote:
> Volker,
>
> > It's a), everything is done via a single tcp connection. One reason is that we
> > want to mirror the behaviour that the server we proxy towards gives us as
> > closely as possible. Separate smb connections give a difference that might have
> > influence on the server's behaviour.
>
> Nope, the we open a new connection for each tree connect in that
> backend.
>
> It really doesn't matter though, as unless I have completely
> misunderstood se-linux, the TConX behaviour is completely irrelevant
> for the seteuid() problem that se-linux faces. All TConX does is
> establish a connection to a new directory (ignoring ancient share
> level security setups).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-06-02 12:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-20 18:42 se-samba Joshua Brindle
2004-05-20 21:10 ` se-samba Luke Kenneth Casson Leighton
2004-05-20 21:51 ` se-samba Luke Kenneth Casson Leighton
2004-05-29 9:51 ` se-samba Luke Kenneth Casson Leighton
2004-05-29 11:18 ` se-samba Luke Kenneth Casson Leighton
[not found] ` <200405312249.11522.rcoker@redhat.com>
[not found] ` <16571.47722.750708.219840@samba.org>
[not found] ` <20040531232931.GE8312@lkcl.net>
[not found] ` <1086081794.3268.39.camel@localhost.localdomain>
2004-06-01 11:09 ` se-samba Luke Kenneth Casson Leighton
[not found] ` <1086096477.3268.63.camel@localhost.localdomain>
[not found] ` <20040601133547.GU8312@lkcl.net>
[not found] ` <E1BV9Yp-0002wU-00@intern.SerNet.DE>
[not found] ` <16573.1058.707078.949935@samba.org>
2004-06-02 12:00 ` se-samba Luke Kenneth Casson Leighton
2004-06-02 12:45 ` Luke Kenneth Casson Leighton [this message]
2004-06-03 21:12 ` se-samba Luke Kenneth Casson Leighton
2004-06-14 20:00 ` se-samba Matthew Keller
2004-06-18 18:42 ` se-samba Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040602124523.GA3708@lkcl.net \
--to=lkcl@lkcl.net \
--cc=Volker.Lendecke@sernet.de \
--cc=samba-technical@samba.org \
--cc=selinux@tycho.nsa.gov \
--cc=tridge@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.