[redhat-lspp] lspp 12 kernel released
Russell Coker
rcoker at redhat.com
Tue Mar 14 02:40:08 UTC 2006
On Tue, 2006-03-14 at 11:33 +1100, Russell Coker wrote:
> As mentioned on the LSPP telecon the lack of search access to /dev/pts
> is because it's labeled as SystemHigh, it should be
> SystemLow-SystemHigh. I'm looking into that now.
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0 -
s15:c0.c255)
I've tried using the above in terminal.te, but it doesn't do any good.
I suspect that the kernel is using SystemHigh as the level for the root
of the devpts file system because that's the level used for all kernel
processes (devpts is significantly different from other file systems in
regard to the kernel code - which incidentally is why we get back-traces
from the kernel). Steve, could you comment on this?
Also in the current policy we have a file_contexts entry for /dev/pts,
so an interim solution is to put "restorecon /dev/pts"
in /etc/rc.sysinit immediately after /dev/pts is mounted. I don't
believe that this is the correct solution though.
Currently the /dev/pts mount-point on the tmpfs used for /dev is labeled
with type devpts_t, I think that this is the wrong thing to do. I think
that we should have /dev/pts -d <<null>> in the file contexts and have
the kernel automatically label the file system. Also the type devpts_t
should not be associated with any other file systems (so it should not
be possible to label a directory on a tmpfs file system as devpts_t).
More information about the redhat-lspp
mailing list