* about type_change and type_transition
@ 2003-05-16 10:25 Giorgio Zanin
2003-05-16 11:45 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Giorgio Zanin @ 2003-05-16 10:25 UTC (permalink / raw)
To: selinux
is it correct to argue that
type_transition program the security server to provide a cetain SID (or
better, a labelling decision) for labelling process and objects created
by legacy applications
type_change does the same thing but for security aware applications
?
It looks like the difference between auto and exec specification in DTE.
thanks
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: about type_change and type_transition
2003-05-16 10:25 about type_change and type_transition Giorgio Zanin
@ 2003-05-16 11:45 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2003-05-16 11:45 UTC (permalink / raw)
To: Giorgio Zanin; +Cc: selinux
On Fri, 2003-05-16 at 06:25, Giorgio Zanin wrote:
> is it correct to argue that
> type_transition program the security server to provide a cetain SID (or
> better, a labelling decision) for labelling process and objects created
> by legacy applications
> type_change does the same thing but for security aware applications
No. You are correct that type_transition defines a default labeling
behavior for the case where an application uses the ordinary API call
(e.g. execve, open, mkdir, etc). Note that type_transition does NOT
authorize anything; you need to authorize the transition via appropriate
allow rules, and you'll see macros in the example policy that provide
common combinations of type_transition and allow rules, e.g.
domain_auto_trans, file_type_auto_trans. type_change has a different
purpose; it defines a relabeling behavior for situations where a
security-aware application needs to relabel an object based on the
security context of a user process and the existing context of the
object, e.g. when login, newrole, or sshd relabels the tty for the user
shell.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-05-16 11:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-16 10:25 about type_change and type_transition Giorgio Zanin
2003-05-16 11:45 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.