[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: dmesg avcs

From: Josh Boyer <jwboyer charter net>
To: fedora-selinux-list redhat com
Subject: Re: dmesg avcs
Date: Sun, 7 Mar 2004 07:18:35 -0600

On Saturday 06 March 2004 10:15 pm, Russell Coker wrote:
> This should not be possible.  You should only be able to enter the dmesg_t
> domain from sysadm_t, anaconda_t, or initrc_t.  None of those domains
> should have a terminal labeled with user_devpts_t open at the time.
>
> How exactly are you running dmesg?  What is the context of the program that
> runs it?

start konsole.  su - to root.  run dmesg.  the output from ps -e --context for 
the bash shell:

2011 root:sysadm_r:sysadm_t                   -bash

> We don't want dmesg_t programs to be under the control of user_t programs. 
> If dmesg_t can be reached from user_t and can access it's terminals then
> user_t has a chance at getting sys_admin capability (if the user_r user in
> question has UID==0).  sys_admin capability should give full control of the
> machine.

ok.  i should do more reading on how the rules and domain transitions 
function.

josh

References:
- dmesg avcs
  - From: Josh Boyer
- Re: dmesg avcs
  - From: Russell Coker

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]