What are the differences between and advantages/disadvantages of the following two commands:
runcon -l s1 <cmd> newrole -l s1 --c <cmd>
Clarkson, Mike R (US SSA) wrote:
What are the differences between and advantages/disadvantages of the following two commands:
runcon -l s1 <cmd> newrole -l s1 --c <cmd>
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Of the top of my head
newrole will change the terminal to the level you want to output. So if the app read/writes to the terminal it will work.
runcon will not so terminal apps will fail. Writing SystemHigh to a SystemLow terminal should not work.
On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote:
Clarkson, Mike R (US SSA) wrote:
What are the differences between and advantages/disadvantages of the following two commands:
runcon -l s1 <cmd> newrole -l s1 --c <cmd>
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Of the top of my head
newrole will change the terminal to the level you want to output. So if the app read/writes to the terminal it will work.
runcon will not so terminal apps will fail. Writing SystemHigh to a SystemLow terminal should not work.
Further, newrole runs in its own domain and allows for transitions from less privileged contexts to more privileged contexts, while runcon runs in the caller's domain and requires the caller to already be sufficiently privileged to directly make the transition.
Thanks for the response.
Based on your comments, am I correct in thinking that it is better to provide trusted selinux aware domains access to runcon rather than newrole, since runcon will restrict those domains to do only what the selinux policy allows?
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Monday, May 21, 2007 12:02 PM To: Daniel J Walsh Cc: Clarkson, Mike R (US SSA); fedora-selinux-list@redhat.com Subject: Re: runcon vs newrole
On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote:
Clarkson, Mike R (US SSA) wrote:
What are the differences between and advantages/disadvantages of
the
following two commands:
runcon -l s1 <cmd> newrole -l s1 --c <cmd>
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Of the top of my head
newrole will change the terminal to the level you want to output.
So if
the app read/writes to the terminal it will work.
runcon will not so terminal apps will fail. Writing SystemHigh to a SystemLow terminal should not work.
Further, newrole runs in its own domain and allows for transitions
from
less privileged contexts to more privileged contexts, while runcon
runs
in the caller's domain and requires the caller to already be sufficiently privileged to directly make the transition.
-- Stephen Smalley National Security Agency
On Tue, 2007-05-22 at 13:26 -0700, Clarkson, Mike R (US SSA) wrote:
Thanks for the response.
Based on your comments, am I correct in thinking that it is better to provide trusted selinux aware domains access to runcon rather than newrole, since runcon will restrict those domains to do only what the selinux policy allows?
That doesn't sound right. runcon itself doesn't restrict anything; it is just a utility that runs in the domain of the caller and has no more (or less) permissions than its caller. Even the ability to execute the runcon code is uninteresting. The operating system is what controls the ability to transition.
Use runcon only when the caller is already trusted (and trustworthy) to directly effect the transition and when the caller will take whatever actions are necessary to properly set up the environment for the new context. Use newrole when you want some enforced separation between the caller and the new context and you want the newrole program to handle setting up the environment for the new context (e.g. polyinstantiated directories).
selinux@lists.fedoraproject.org