[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: cups, /dev/fd

From: Tom London <selinux gmail com>
To: Stephen Smalley <sds epoch ncsc mil>, "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Cc:
Subject: Re: cups, /dev/fd
Date: Fri, 17 Sep 2004 07:45:07 -0700

oops.... (got tripped up on /proc).

Yeah.  Your approach is better.

thanks,
   tom

On Fri, 17 Sep 2004 10:32:52 -0400, Stephen Smalley <sds epoch ncsc mil> wrote:
> On Fri, 2004-09-17 at 10:30, Tom London wrote:
> > Then should /dev/fd (the link) be unlabeled, defaulting
> > to the general DAC?  Or labeled, say, self_fd_t,
> > with a general rule allowing accesses to it?
> >
> > Could do the same for /dev/stdin, /dev/stdout, and
> > /dev/stderr.
> 
> I don't see why you wouldn't just generally give search to device_t:dir
> for /dev and read to device_t:lnk_file for
> /dev/{fd,stdin,stdout,stderr}.  Maintaining individual types on those
> symlinks seems overkill.  BTW, unlabeled doesn't default to general DAC,
> it is inaccessible to most domains.
> 
> 
> 
> --
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency
> 
> 



-- 
Tom London

References:
- cups, /dev/fd
  - From: Tom London
- Re: cups, /dev/fd
  - From: Stephen Smalley
- Re: cups, /dev/fd
  - From: Tom London
- Re: cups, /dev/fd
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]