cups, /dev/fd
Stephen Smalley
sds at epoch.ncsc.mil
Fri Sep 17 14:32:52 UTC 2004
On Fri, 2004-09-17 at 10:30, Tom London wrote:
> Then should /dev/fd (the link) be unlabeled, defaulting
> to the general DAC? Or labeled, say, self_fd_t,
> with a general rule allowing accesses to it?
>
> Could do the same for /dev/stdin, /dev/stdout, and
> /dev/stderr.
I don't see why you wouldn't just generally give search to device_t:dir
for /dev and read to device_t:lnk_file for
/dev/{fd,stdin,stdout,stderr}. Maintaining individual types on those
symlinks seems overkill. BTW, unlabeled doesn't default to general DAC,
it is inaccessible to most domains.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list