On Sat, 19 Jan 2002, Russell Coker wrote:

> I have attached a patch against the latest selinux-small for pppd settings
> (granting access to /dev/ppp by the program /usr/sbin/pppd).
>
> Also I have added settings for /dev/vc/* (devfs equivalent of /dev/tty[0-9]+)
> and /dev/pts/*.
>
> Also I have added dhclient to the domain dhcpc_exec_t and made appropriate
> changes for it's config files.
>
> Let me know if I'm doing anything stupid here.

A few questions and comments:

1. I would only add pppd_t to system_r. If started by an administrator, it should be done via run_init, so you don't need it in sysadm_r. Do you really want it started by ordinary users? If not, then drop it from user_r in rbac and drop the user_t transition from pppd.te.
2. I doubt that you really need all of the "priv*" attributes on the pppd_t domain - you probably just cut-and-pasted from an existing domain that did need those attributes. In particular, pppd_t should have no reason to be associated with the "privuser", "privrole", or "privowner" attributes.
3. Your diff doesn't show the type declaration for net_device_t anywhere - probably in types/files.te.
4. I'm not familiar with dhclient, so I'm not sure whether it belongs in the same domain as dhcpcd.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.