All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] kernel_terminal.patch
@ 2009-03-04 21:26 Daniel J Walsh
  2009-03-05 14:04 ` Christopher J. PeBenito
  0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2009-03-04 21:26 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_terminal.patch

Terminals can be labeled devpts_t and consoles can be labeled tty_device_t.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmu8ekACgkQrlYvE4MpobO/rwCgoEP9JAH3atsQLGZ3zVq+GDZ8
SBAAoJ9tDE4f8+yhseoWxcazEcmVgNg0
=Z3F/
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
  2009-03-04 21:26 [refpolicy] kernel_terminal.patch Daniel J Walsh
@ 2009-03-05 14:04 ` Christopher J. PeBenito
  2009-03-05 14:56   ` Daniel J Walsh
  0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-03-05 14:04 UTC (permalink / raw)
  To: refpolicy

On Wed, 2009-03-04 at 16:26 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_terminal.patch
> 
> Terminals can be labeled devpts_t and consoles can be labeled
> tty_device_t.

For both of these, in what circumstances does this happen?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
  2009-03-05 14:04 ` Christopher J. PeBenito
@ 2009-03-05 14:56   ` Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-03-05 14:56 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Wed, 2009-03-04 at 16:26 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_terminal.patch
>>
>> Terminals can be labeled devpts_t and consoles can be labeled
>> tty_device_t.
> 
> For both of these, in what circumstances does this happen?
> 
Usually boot up,  I think devices created before init.  Devices created
by unconfined domains, devices created in permissive mode.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmv6BoACgkQrlYvE4MpobN4EwCfaPjA7jFi8IWR4xz1xT2X3VQm
EKUAnRDqvCeMFQWIBHGQMahByulkj9EP
=gKed
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
@ 2010-08-26 23:20 Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-08-26 23:20 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_terminal.patch

All ttys should include tty_device_t

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx29soACgkQrlYvE4MpobMjGgCgsSxgyqD57jCLSaHT6VerWKXF
Qa8AoMr5eYlmKEK7LRMOAUOI5lXOue7n
=l/hj
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
@ 2010-06-02 20:27 Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:27 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_terminal.patch

Dontaudit should use inherited instead of rw, so we can catch the open call.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
  2009-11-19 20:01 ` Christopher J. PeBenito
@ 2009-11-19 22:01   ` Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-11-19 22:01 UTC (permalink / raw)
  To: refpolicy

On 11/19/2009 03:01 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 16:05 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_terminal.patch
>>
>> ptmx moved to /dev/pts
>>
>> fixup interfaces
> 
> Merged.
> 
>> console_device_t on Zseries is same as tty_device_t
> 
> If I recall correctly, there is an instance where a system logs into
> console_device_t, so relabel permissions are required on that type.
> Perhaps we should look into conditionally treating console_device_t and
> tty_device_t as the same thing on these system(s)?
> 
Yes although I do not plan on per arch policy.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
  2009-11-12 21:05 Daniel J Walsh
@ 2009-11-19 20:01 ` Christopher J. PeBenito
  2009-11-19 22:01   ` Daniel J Walsh
  0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-11-19 20:01 UTC (permalink / raw)
  To: refpolicy

On Thu, 2009-11-12 at 16:05 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_terminal.patch
> 
> ptmx moved to /dev/pts
> 
> fixup interfaces

Merged.

> console_device_t on Zseries is same as tty_device_t

If I recall correctly, there is an instance where a system logs into
console_device_t, so relabel permissions are required on that type.
Perhaps we should look into conditionally treating console_device_t and
tty_device_t as the same thing on these system(s)?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
@ 2009-11-12 21:05 Daniel J Walsh
  2009-11-19 20:01 ` Christopher J. PeBenito
  0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:05 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_terminal.patch

ptmx moved to /dev/pts

fixup interfaces

console_device_t on Zseries is same as tty_device_t

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
@ 2009-05-21 15:29 Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:29 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_terminal.patch

Additonal terminal interaction.

add /dev/pts/ptmx file context

Fix interfaces to handle different hardware types.

Add interface used in Fedora.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [refpolicy] kernel_terminal.patch
@ 2008-11-25 21:52 Daniel J Walsh
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2008-11-25 21:52 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_terminal.patch

Sometimes the console device is a tty_device_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkksc40ACgkQrlYvE4MpobPHGACg2SZps4xR5Ryhm+0+cOthw/1r
IwUAnRyOmflBLL1iqkDp5xmIBGK6FUK6
=N+q4
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-08-26 23:20 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-04 21:26 [refpolicy] kernel_terminal.patch Daniel J Walsh
2009-03-05 14:04 ` Christopher J. PeBenito
2009-03-05 14:56   ` Daniel J Walsh
  -- strict thread matches above, loose matches on Subject: below --
2010-08-26 23:20 Daniel J Walsh
2010-06-02 20:27 Daniel J Walsh
2009-11-12 21:05 Daniel J Walsh
2009-11-19 20:01 ` Christopher J. PeBenito
2009-11-19 22:01   ` Daniel J Walsh
2009-05-21 15:29 Daniel J Walsh
2008-11-25 21:52 Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.