Currently we have serial ports labeled at tty_device_t by default.

The problem is that serial ports are used for modems, printers, and many other things than terminals. Currently the sample policy does not permit such access. So cups and lpd are not granted access, and if you want to run minicom you have to change the context of the device (and add new policy) or run minicom as sysadm_t.

I have been thinking of creating a new type for non-login serial devices and granting pppd, cups and lpd full access to it, then the administrator would have the option of granting users access to it for running minicom without allowing them to spoof logins.

Another possibility is to have different types for the device as used by cups, pppd, and minicom. Then change the contexts of serial devices to indicate which service they are for, but this could be painful to administer.

What do you think?

--

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--

This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Sat 4 Oct 2003 - 00:20:45 EDT