How do I make sure programs have write access to their own tty?
Stephen Smalley
sds at epoch.ncsc.mil
Mon Mar 29 17:12:09 UTC 2004
On Sat, 2004-03-27 at 20:12, Aleksey Nogin wrote:
> When I run (from staff_r) things via sudo, then sometimes it turns out
> that the programs I run end up not being able to communicate back to me
> as they are denied access to the tty they are running on (see
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119209 for details).
>
> Is there some way within the SELinux framework to give programs write
> access to the tty they are running on w/o giving them write access to
> all the ttys of the same type?
Types are security equivalence classes. So if you've placed a set of
objects into a single type, then they are accessible in the same
manner. Now, you can have programs transition into derived domains that
preserve their call chain information, and use that to control access to
types, e.g staff_t runs program foo in staff_foo_t and sysadm_t run
program foo in sysadm_foo_t, and $1_foo_t only gets access to
$1_devpts_t.
However, in this particular case, where sudo is performing an explicit
role change, I would expect that sudo would relabel the pty based on the
new user domain, so it should be relabeled to sysadm_devpts_t while the
command is being executed, and then reset to its original type.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list