I have attached a patch against the latest selinux-small for pppd settings
(granting access to /dev/ppp by the program /usr/sbin/pppd).
Also I have added settings for /dev/vc/* (devfs equivalent of /dev/tty[0-9]+) and /dev/pts/*.
Also I have added dhclient to the domain dhcpc_exec_t and made appropriate changes for it's config files.
Let me know if I'm doing anything stupid here.
-- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home pageFrom: Stephen Smalley <sds_at_tislabs.com>-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- text/x-diff attachment: d
On Sat, 19 Jan 2002, Russell Coker wrote:
> I have attached a patch against the latest selinux-small for pppd settings
> (granting access to /dev/ppp by the program /usr/sbin/pppd).
>
> Also I have added settings for /dev/vc/* (devfs equivalent of /dev/tty[0-9]+)
> and /dev/pts/*.
>
> Also I have added dhclient to the domain dhcpc_exec_t and made appropriate
> changes for it's config files.
>
> Let me know if I'm doing anything stupid here.
A few questions and comments:
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au>
On Wed, 23 Jan 2002 01:00, Stephen Smalley wrote:
> On Sat, 19 Jan 2002, Russell Coker wrote:
> > I have attached a patch against the latest selinux-small for pppd
> > settings (granting access to /dev/ppp by the program /usr/sbin/pppd).
> >
> > Also I have added settings for /dev/vc/* (devfs equivalent of
> > /dev/tty[0-9]+) and /dev/pts/*.
> >
> > Also I have added dhclient to the domain dhcpc_exec_t and made
> > appropriate changes for it's config files.
> >
> > Let me know if I'm doing anything stupid here.
>
> A few questions and comments:
>
> 1) I would only add pppd_t to system_r. If started by an administrator,
> it should be done via run_init, so you don't need it in sysadm_r.
Your other message regarding run_init convinced me about this.
> Do you
> really want it started by ordinary users? If not, then drop it from
> user_r in rbac and drop the user_t transition from pppd.te.
In some situations yes. If someone is running a laptop to connect to the net then they will generally want to start and stop pppd as non-root and non-sysadm_r.
I think I will put in the user_t transition in a comment.
> 2) I doubt that you really need all of the "priv*" attributes on the
> pppd_t domain - you probably just cut-and-pasted from an existing domain
Yes.
> that did need those attributes. In particular, pppd_t should have no
> reason to be associated with the "privuser", "privrole", or "privowner"
> attributes.
OK.
> 3) Your diff doesn't show the type declaration for net_device_t anywhere -
> probably in types/files.te.
In types/device.te:
type net_device_t, file_type;
> 4) I'm not familiar with dhclient, so I'm not sure whether it belongs in
> the same domain as dhcpcd.
dhclient is a dhcp client program. It does exactly the same thing as dhcpcd and (IMHO) deserves to be in the same domain.
-- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT