Riny Qian wrote: > >> What happens in this (on TX) case: That was supposed to say non TX. Device allocation works without TX it is a standard Solaris feature.
> TX does not allow users to log in via console and virtual > consoles. Yes but that isn't relevant to the example I gave since device allocation is a standard Solaris feature that doesn't need TX. I agree though that with TX enabled normal users won't be able to login on the console or virtual consoles anyway since they have a label outside of the users clearance. >> That seems wrong and completely counter to the whole >> purpose of device allocation. > > The changes to logindevperm should be independent on > allocate(1M). I don't see that they are because with your project adding an ACL to the device, say the audio device. How is it ensuring that the device isn't already allocated with allocate(1M) to an end user ? > Any way, we'll look further and communicate with TX guys in > security community. Thanks. -- Darren J Moffat