SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: serial devices This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Brian May <bam_at_snoopy.apana.org.au> Date: Sat, 4 Oct 2003 18:01:03 +1000 On Sat, Oct 04, 2003 at 02:20:21PM +1000, Russell Coker wrote: > Currently we have serial ports labeled at tty_device_t by default. > > The problem is that serial ports are used for modems, printers, and many other > things than terminals. Currently the sample policy does not permit such > access. So cups and lpd are not granted access, and if you want to run > minicom you have to change the context of the device (and add new policy) or > run minicom as sysadm_t. > > I have been thinking of creating a new type for non-login serial devices and > granting pppd, cups and lpd full access to it, then the administrator would > have the option of granting users access to it for running minicom without > allowing them to spoof logins. What would happen on smaller systems like my desktop machine where I want to use modems for dial-in and dial-out? > Another possibility is to have different types for the device as used by cups, > pppd, and minicom. Then change the contexts of serial devices to indicate > which service they are for, but this could be painful to administer. This would be my preference. If I have a modem connected to the serial port, I don't want somebody compromising cups, and then use that as a stepping stone to make expense telephone calls at my expense... Not that I consider this is very likely. If its going to be difficult to aminister, I wonder if there is anything that could be done to simplify the task? -- Brian May <bam@snoopy.apana.org.au> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Sat 4 Oct 2003 - 04:01:26 EDT This message: [ Message body ] Next message: Dale Amon: "Re: Question about policy files and users" Previous message: Russell Coker: "Re: Security Officer and System Administrator Separation of Duties" In reply to: Russell Coker: "serial devices" Next in thread: James Morris: "Re: serial devices" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom