Re: TTY question

[Stephen Smalley <sds@xxxxxxxxxxxxxx>]

On Thu, 2005-02-10 at 13:04, Ivan Gyurdiev wrote:
> Should 
> allow $1 privfd:fd use;
> be in that macro? 
> 
> What does that do?
> I see it next to the other rules.

In order to inherit, receive or use an open descriptor, a domain must
have both use permission to the fd (which is labeled based on the domain
that performed the open) and appropriate read/write permissions
(depending on the fd flags) to the file itself.  The privfd attribute
was originally to allow marking of certain domains like login and sshd
that handled opening of the tty/pty for use in allow rules enabling many
other domains to inherit and use the descriptors from these domains. 
newrole actually closes and re-opens descriptors 0-2 in order to get
them into its domain so that subsequent programs only need to inherit
from it rather than from the original user domain.  However, this proved
problematic for su and sudo, and the current policy associates privfd
with the user domains as well so that programs run from su'd shells or
via sudo are able to inherit the descriptors as well.  It would be
preferable to introduce a proxy pty into su and sudo similar to what has
been done recently by Manoj for run_init in order to properly isolate
and protect the different domains.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.