From: Stephen Smalley <sds@tislabs.com>
To: Timothy Wood <timothy@hallcomp.com>
Cc: Ed Street <blacknet@simplyaquatics.com>,
"'SE Linux'" <selinux@tycho.nsa.gov>
Subject: RE: sysadm_tty_device_t
Date: Thu, 11 Jul 2002 16:05:35 -0400 (EDT) [thread overview]
Message-ID: <Pine.GSO.4.33.0207111559010.21775-100000@raven> (raw)
In-Reply-To: <1026417306.1659.18.camel@phobos>
On 11 Jul 2002, Timothy Wood wrote:
> So no matter what the file context is login and newrole relabel them
> when they take control of the tty, correct? If so, then it is really up
> to the controlling program (or program that needs control in this case)
> and so syslog needs premissions to relabel and/or control the tty,
> yes/no?
The modified login and newrole programs (and sshd program, but it only
deals with ptys) relabel the terminal device based on the user's context
and the original context on the device. The proper SID is obtained via
the security_change_sid call, which computes a SID based on the
type_change rules in the policy configuration.
This is only necessary when you have a dynamic situation where the proper
context for the device needs to be adjusted for the current "owner" of the
device, and is parallel to the existing Linux handling of setting the uid
on such devices.
If you are dedicating a terminal for syslogd output, then you can
statically label it with a type, grant syslogd permission to append to
that type, and be done with it.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2002-07-11 20:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 7:45 audit bug in fd handling Russell Coker
2002-07-10 11:55 ` Stephen Smalley
2002-07-10 13:12 ` Stephen Smalley
2002-07-10 13:23 ` Ed Street
2002-07-10 14:40 ` Russell Coker
2002-07-11 16:13 ` sysadm_tty_device_t Ed Street
2002-07-11 17:21 ` sysadm_tty_device_t Stephen Smalley
2002-07-11 17:24 ` sysadm_tty_device_t Ed Street
2002-07-11 17:39 ` sysadm_tty_device_t Stephen Smalley
2002-07-11 17:54 ` sysadm_tty_device_t Ed Street
2002-07-11 18:19 ` sysadm_tty_device_t Stephen Smalley
2002-07-11 18:24 ` sysadm_tty_device_t Ed Street
2002-07-11 18:35 ` sysadm_tty_device_t Stephen Smalley
2002-07-11 17:55 ` sysadm_tty_device_t Ed Street
2002-07-11 19:55 ` sysadm_tty_device_t Timothy Wood
2002-07-11 19:53 ` sysadm_tty_device_t Ed Street
2002-07-11 20:07 ` sysadm_tty_device_t Stephen Smalley
2002-07-11 20:12 ` sysadm_tty_device_t Timothy Wood
2002-07-11 20:05 ` Stephen Smalley [this message]
2002-07-19 21:27 ` booting problem Charles R. Fuller
2002-07-22 11:59 ` Stephen Smalley
2002-07-11 18:28 ` sysadm_tty_device_t Timothy Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.GSO.4.33.0207111559010.21775-100000@raven \
--to=sds@tislabs.com \
--cc=blacknet@simplyaquatics.com \
--cc=selinux@tycho.nsa.gov \
--cc=timothy@hallcomp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.