SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: initial load_policy problem This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: Rogelio Serrano <rogelio_at_smsglobal.net> Date: Fri, 09 Apr 2004 20:22:52 +0800 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2004-04-09 20:19:30 +0800 Stephen Smalley <sds@epoch.ncsc.mil> wrote: > On Fri, 2004-04-09 at 06:37, Rogelio Serrano wrote: >> How long after the policy load is /dev/console supposed to >> become console_device_t? immediately after policy load the >> label of /dev/console is system_u:system_r:kernel_t. > > No it isn't. The label of the open file description is > kernel_t, since > it was opened by a kernel thread, but the label of the device > inode is > console_device_t. Remember that SELinux labels and controls > open file > descriptions (the state referenced by a file descriptor) as > well as > files themselves, because they can be shared among processes. > The open > file descriptions are labeled based on the process that > performed the > open, so when an initial kernel thread opens /dev/console, the > open file > is labeled kernel_t. > >> avc: denied { use } for pid=18 exe=/bin/bash path=/dev/console >> dev=hda16 ino=17895218 scontext=system_u:system_r:initrc_t >> tcontext=system_u:system_r:kernel_t tclass=fd > > Look closely at the above avc message. The tclass is "fd" > (file > descriptor, or more accurately, open file description); the > permission > is "use". The question is whether initrc_t should be > inheriting this > descriptor, not whether it can access /dev/console (the latter > is also > checked, but is likely allowed). > I understand. Im going to audit all the boot programs. At least all the programs called by the init scripts. I will try to avoid adding permissions to the default policy. Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using the GPG bundle for GNUMail.app iD8DBQFAdpWayihxuQOYt8wRAiNPAJ9lxgiva7kpDog/U907vHEhUn/QhQCgsHGL jPVspP8stzd+iENG0EEDXf8= =md83 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 9 Apr 2004 - 08:23:06 EDT This message: [ Message body ] Next message: Vincenzo Ciaglia: "Netwosix- Selinux" Previous message: Stephen Smalley: "Re: initial load_policy problem" In reply to: Stephen Smalley: "Re: initial load_policy problem" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom