[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TTY question

To: ivg2@xxxxxxxxxxx
Subject: Re: TTY question
From: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Date: Thu, 10 Feb 2005 16:16:15 -0500
Cc: SELinux <selinux@xxxxxxxxxxxxx>
In-reply-to: <1108069944.3689.9.camel@xxxxxxxxxxxxxx>
Organization: National Security Agency
References: <1107915334.6602.1.camel@xxxxxxxxxxxxxx> <1107954368.17568.25.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1108000939.5241.10.camel@xxxxxxxxxxxxxx> <1108039573.22172.37.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1108043320.326.1.camel@xxxxxxxxxxxxxx> <1108058666.3808.2.camel@xxxxxxxxxxxxxx> <1108062931.4443.3.camel@xxxxxxxxxxxxxx> <1108063884.22172.231.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1108067400.5249.10.camel@xxxxxxxxxxxxxx> <1108067486.22172.251.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1108069944.3689.9.camel@xxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Thu, 2005-02-10 at 16:12, Ivan Gyurdiev wrote:
> It's restored fine.
> /dev/pts/x goes to sysadm_devpts_t after su
>   and back to user_devpts_t after exit.
>   
>  There are no denials.

Ok, good.

> The permissions you want to remove are { append lock ioctl } on
> chr_file, and { lock ioctl } on dir.
> 
> What should I do? ioctl could be allowed for su for now, and then if
> denials show up it could be reverted to rw_perms in the macro.

I'd reduce the permissions in the macro for now, and just give ioctl to
su via a separate allow rule.

> P.S. The java policy had dontaudit tty rules and not allow.
> I changed them by accident. Should they be changed back, or 
> do you think allow is correct?

I don't have that policy in our tree.  Is it for the java plugin run
from mozilla or for java run by a user domain?  If the former, likely
want dontaudit.  If the latter, likely want/need allow.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Ivan Gyurdiev

References:
- TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Stephen Smalley
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Stephen Smalley
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Stephen Smalley
- Re: TTY question
  - From: Ivan Gyurdiev
- Re: TTY question
  - From: Stephen Smalley
- Re: TTY question
  - From: Ivan Gyurdiev

Prev by Date: Re: TTY question
Next by Date: Modifications to the local.users file
Previous by thread: Re: TTY question
Next by thread: Re: TTY question
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.