All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Pou <danielp@sgi.com>
To: SELinux-NSA <SELinux@tycho.nsa.gov>
Subject: Programmatic domain change to unprivileged role
Date: Mon, 5 Aug 2013 14:07:32 -0500	[thread overview]
Message-ID: <20130805190732.GT18909@localhost> (raw)

I have an existing daemon that I am working to enable in an MLS setting,
but I am running into difficulties with calls to get a context of an
unprivileged user from the daemon context
(system_u:system_r:<name-of-service>_t:s0-s15:c0.c1023).
The deamon will run an executable with ID of an authenticated user, so I
looked at trying to replicate the method used by sshd.
When sshd calls get_default_context, there is a transition defined to go
to the user_u:user_r:user_t domain, but there is not one available from
the daemon context I have developed.
Is there a simpler example than ssh that I could look at to understand
how to specify transitions?
The daemon uses the fork+execve method, so I don't think that I need the
dyntransition method, but it is not clear to me how to specify all the
required transitions for executing any file available to an unprivileged
user.

Thanks,
Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

             reply	other threads:[~2013-08-05 19:07 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-05 19:07 Dan Pou [this message]
2013-08-06 20:15 ` Programmatic domain change to unprivileged role Stephen Smalley
2013-08-06 20:37   ` Dan Pou
2013-08-07 12:28     ` Stephen Smalley
2013-08-07 12:41       ` Stephen Smalley
2013-08-08 19:58         ` Dan Pou
2013-08-09  9:59           ` Daniel J Walsh
2013-08-09 12:51           ` Stephen Smalley
2013-08-20 20:05             ` Dan Pou
2013-08-21  7:54               ` Dominick Grift
2013-08-21 14:05                 ` Dan Pou
2013-08-21 15:58                   ` Dominick Grift
2013-08-21 14:22               ` Stephen Smalley
2013-08-21 14:27                 ` Stephen Smalley
2013-08-22 22:50                   ` Dan Pou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130805190732.GT18909@localhost \
    --to=danielp@sgi.com \
    --cc=SELinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.