--- Stephen Smalley <[EMAIL PROTECTED]> wrote: > On Wed, 2007-07-18 at 18:15 -0700, Casey Schaufler wrote: > > --- Joshua Brindle <[EMAIL PROTECTED]> wrote: > > > > > Casey Schaufler wrote: > > > > ... > > > > > > > > I do have a hackish newsmack command, which I should probably include. > > > > All it does is write the new label to /proc/self/attr/current and > > > > exec the desired program. That's not good enough for a production > > > > system because of the well known pty, tty, and open files issues, > > > > but fine for development purposes. > > > > > > > > > > Right, I'd like to see how you solve those problems :) > > > > Me too. Especially with devpts "out of bounds". I have some ideas, > > but I don't know whether they're good ones yet. > > I'm not sure what you mean by the above.
There was discussion some time back in which changes to devpts had been suggested but rejected due to the firm stand of the devpts maintainers. I can dredge the thread up if it's important. > In selinux, we label the ptys > with a label derived from the allocating task at creation time (handled > by d_instantiate hook), So far so good ... > and then let userspace relabel them as > appropriate based for the user session label for login/sshd and newrole. ... which may be the end solution. Another way to do it is to associate a label with the connection between the pseudo devices rather than the endpoints. That might require devpts changes. If there is a kernel based solution, and I don't have one in hand yet, it would be slick. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
