SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: devfs permissions This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Russell Coker <russell_at_coker.com.au> Date: Mon, 25 Feb 2002 19:13:26 +0100 On Mon, 25 Feb 2002 18:40, Stephen Smalley wrote: > On Sun, 24 Feb 2002, Russell Coker wrote: > > In either case we need to have devfsd manage SIDs on devfs nodes, > > currently /dev/initctl and /dev/log don't get assigned a SID on devfs > > (also other pipes and sockets would have the same problem - but aren't as > > important and don't fail as spectacularly). > > Files created at runtime, such as /dev/initctl and /dev/log, should be > labeled based on the file_type_auto_trans() rules that already exist for > the appropriate domains. Of course, the current rules assume that the > parent directory type is device_t. I see that you changed the / entry in > devfs_contexts from device_t to devfs_t. I'm not sure I agree with that > change - it will require additional file_type_auto_trans rules for the > devfs case. Why not use device_t for both devfs and traditional /dev? At the time it seemed like a good idea to have different permissions for devfs than for a regular directory, one reason for this is that there are system programs which have a genuine need for dynamically running mknod on a non-devfs system (such as LVM, and other systems that do similar things). Also on a non-devfs system an upgrade that installs a new version of the makedev package will generally want to install new device nodes (and sys-admins occasionally remove nodes they don't need or add nodes to match new hardware or drivers). On a devfs system there are only three programs that should create anything under /dev, they are init, the devfsd startup script, and devfsd itself. Having a different type for /dev on a devfs system is one way of locking things down to prevent mknod from being run. Another way is to change the policy for device_t to prevent these things. I'm still not certain which is the best option. -- Signatures >4 lines are rude. If you send email to me or to a mailing list that I am subscribed to which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message (the sig won't be read). -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 25 Feb 2002 - 13:22:45 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: devfs permissions" Previous message: Stephen Smalley: "RE: nscd" In reply to: Stephen Smalley: "Re: devfs permissions" Next in thread: Stephen Smalley: "Re: devfs permissions" Reply: Stephen Smalley: "Re: devfs permissions" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom