[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: cups, /dev/fd

From: Stephen Smalley <sds epoch ncsc mil>
To: Tom London <selinux gmail com>, "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Cc:
Subject: Re: cups, /dev/fd
Date: Fri, 17 Sep 2004 10:32:52 -0400

On Fri, 2004-09-17 at 10:30, Tom London wrote:
> Then should /dev/fd (the link) be unlabeled, defaulting
> to the general DAC?  Or labeled, say, self_fd_t,
> with a general rule allowing accesses to it?
> 
> Could do the same for /dev/stdin, /dev/stdout, and
> /dev/stderr.

I don't see why you wouldn't just generally give search to device_t:dir
for /dev and read to device_t:lnk_file for
/dev/{fd,stdin,stdout,stderr}.  Maintaining individual types on those
symlinks seems overkill.  BTW, unlabeled doesn't default to general DAC,
it is inaccessible to most domains.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

Follow-Ups:
- Re: cups, /dev/fd
  - From: Tom London

References:
- cups, /dev/fd
  - From: Tom London
- Re: cups, /dev/fd
  - From: Stephen Smalley
- Re: cups, /dev/fd
  - From: Tom London

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]