I've been trying to establish whether it is possible in TX for a process running in labelled zone to access a door server which is running in another labelled zone, given some dominance relationship between the labels of the two zones.
If I recall correctly, a door server needs read-write access to the rendezvous point and a door client needs read access. Assuming this is correct... If the label of zone A dominates the label of zone B, it should not be possible for a door server in A to open a rendezvous point (read-write) which is accessible for read by a door client in B: a file system object which is writeable in A and readable in B enables a write-down. If the label of zone B dominates the label of zone A, a door server in A having read-write access to the rendezvous point and a door client in B having read access to the rendezvous point seems OK as far as the file system objects are concerned, however there is the potential for write-down simply by the door client sending data to the door server. Could someone confirm/deny my understanding? Is there a way that a labelled zone door server can work given some additional privilege, or is this fundamentally disallowed? (BTW, I realise that this is all possible if the door server runs in the global zone. I'm trying to get maximum containment of a trusted function.) Thanks Mike
