[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: mysql issues...
- From: Stephen Smalley <sds epoch ncsc mil>
- To: Russell Coker <russell coker com au>
- Cc: Valdis Kletnieks vt edu, SE Linux <selinux tycho nsa gov>, fedora-selinux-list redhat com
- Subject: Re: mysql issues...
- Date: Wed, 26 May 2004 12:31:52 -0400
On Wed, 2004-05-26 at 00:17, Russell Coker wrote:
> Why have mysql_cmd_t instead of just allowing user_t directly? What is the
> benefit in having a domain for client access?
Is the client program setgid or setuid presently to give it more
access? If so, then a separate domain is reasonable. Regardless, there
is a potential advantage in limiting access to the client program, e.g.
you can ensure that only well-formed messages constructed by the client
program are sent on that socket as opposed to arbitrary data from the
user. Naturally, it all depends on what you are trying to protect and
what threats you want to counter.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]