Hi all,
I am confused about the labels on the tty dev nodes. I looked in refpol
and the only fcontext is:
/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
The implications of this are that everything is labelled with
tty_device_t but I am pretty sure this is wrong. I have seen several
different types of nodes which I think should have separate labels.
Ones that I am aware of (please add more or correct my understanding if
it is wrong)
/dev/tty0 -- The consoles (eg ctrl+alt+f1)
/dev/ttyS -- A physical serial port
/dev/ttyUSB0 -- A usb-to-serial port
/dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded
microcontrollers as well as 3G modems and the like.
/dev/usb/tty.* -- I have no idea what this is, its not on my system but
it is labelled usbtty_device_t in refpol.
The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should
probably be usbtty_device_t. As for what the label should be on ttyS0, I
am not sure.
Thoughts? I dont want to just send in a patch changing this before I
understand *exactly* what these are used for in case they break
something else.
-- Jason
On 10/22/2014 12:09 PM, Jason Zaman wrote:
> Hi all,
>
> I am confused about the labels on the tty dev nodes. I looked in refpol
> and the only fcontext is:
>
> /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
>
> The implications of this are that everything is labelled with
> tty_device_t but I am pretty sure this is wrong. I have seen several
> different types of nodes which I think should have separate labels.
>
> Ones that I am aware of (please add more or correct my understanding if
> it is wrong)
>
> /dev/tty0 -- The consoles (eg ctrl+alt+f1)
> /dev/ttyS -- A physical serial port
> /dev/ttyUSB0 -- A usb-to-serial port
> /dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded
> microcontrollers as well as 3G modems and the like.
> /dev/usb/tty.* -- I have no idea what this is, its not on my system but
> it is labelled usbtty_device_t in refpol.
>
> The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should
> probably be usbtty_device_t. As for what the label should be on ttyS0, I
> am not sure.
>
> Thoughts? I dont want to just send in a patch changing this before I
> understand *exactly* what these are used for in case they break
> something else.
It seems more likely that usbtty_device_t should be dropped. I don't
see any reason for there to be a distinction based on the underlying
hardware.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/23/2014 08:14 AM, Christopher J. PeBenito wrote:
> On 10/22/2014 12:09 PM, Jason Zaman wrote:
>> Hi all,
>>
>> I am confused about the labels on the tty dev nodes. I looked in refpol
>> and the only fcontext is:
>>
>> /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
>>
>> The implications of this are that everything is labelled with
>> tty_device_t but I am pretty sure this is wrong. I have seen several
>> different types of nodes which I think should have separate labels.
>>
>> Ones that I am aware of (please add more or correct my understanding if
>> it is wrong)
>>
>> /dev/tty0 -- The consoles (eg ctrl+alt+f1)
>> /dev/ttyS -- A physical serial port
>> /dev/ttyUSB0 -- A usb-to-serial port
>> /dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded
>> microcontrollers as well as 3G modems and the like.
>> /dev/usb/tty.* -- I have no idea what this is, its not on my system but
>> it is labelled usbtty_device_t in refpol.
>>
>> The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should
>> probably be usbtty_device_t. As for what the label should be on ttyS0, I
>> am not sure.
>>
>> Thoughts? I dont want to just send in a patch changing this before I
>> understand *exactly* what these are used for in case they break
>> something else.
> It seems more likely that usbtty_device_t should be dropped. I don't
> see any reason for there to be a distinction based on the underlying
> hardware.
>
>
I agree.
On Thu, Oct 23, 2014 at 08:14:56AM -0400, Christopher J. PeBenito wrote:
> On 10/22/2014 12:09 PM, Jason Zaman wrote:
> > Hi all,
> >
> > I am confused about the labels on the tty dev nodes. I looked in refpol
> > and the only fcontext is:
> >
> > /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
> >
> > The implications of this are that everything is labelled with
> > tty_device_t but I am pretty sure this is wrong. I have seen several
> > different types of nodes which I think should have separate labels.
> >
> > Ones that I am aware of (please add more or correct my understanding if
> > it is wrong)
> >
> > /dev/tty0 -- The consoles (eg ctrl+alt+f1)
> > /dev/ttyS -- A physical serial port
> > /dev/ttyUSB0 -- A usb-to-serial port
> > /dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded
> > microcontrollers as well as 3G modems and the like.
> > /dev/usb/tty.* -- I have no idea what this is, its not on my system but
> > it is labelled usbtty_device_t in refpol.
> >
> > The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should
> > probably be usbtty_device_t. As for what the label should be on ttyS0, I
> > am not sure.
> >
> > Thoughts? I dont want to just send in a patch changing this before I
> > understand *exactly* what these are used for in case they break
> > something else.
>
> It seems more likely that usbtty_device_t should be dropped. I don't
> see any reason for there to be a distinction based on the underlying
> hardware.
>
I was hoping more like having one label for /dev/tty0 (ie the consoles) and
a different label for the rest (ie ttyS0, ttyACM0, ttyUSB0). In my case, I want my
normal user to be able to access the usb-to-serial device but I see no
reason why my user should have access to all the consoles.
Dominick said fedora has something like modem_device_t for ttyACM0 which
makes sense. Perhaps a more generic serial_device_t is better to use for
all of them instead?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
On 10/26/2014 12:41 AM, Jason Zaman wrote:
> On Thu, Oct 23, 2014 at 08:14:56AM -0400, Christopher J. PeBenito wrote:
>> On 10/22/2014 12:09 PM, Jason Zaman wrote:
>>> Hi all,
>>>
>>> I am confused about the labels on the tty dev nodes. I looked in refpol
>>> and the only fcontext is:
>>>
>>> /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
>>>
>>> The implications of this are that everything is labelled with
>>> tty_device_t but I am pretty sure this is wrong. I have seen several
>>> different types of nodes which I think should have separate labels.
>>>
>>> Ones that I am aware of (please add more or correct my understanding if
>>> it is wrong)
>>>
>>> /dev/tty0 -- The consoles (eg ctrl+alt+f1)
>>> /dev/ttyS -- A physical serial port
>>> /dev/ttyUSB0 -- A usb-to-serial port
>>> /dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded
>>> microcontrollers as well as 3G modems and the like.
>>> /dev/usb/tty.* -- I have no idea what this is, its not on my system but
>>> it is labelled usbtty_device_t in refpol.
>>>
>>> The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should
>>> probably be usbtty_device_t. As for what the label should be on ttyS0, I
>>> am not sure.
>>>
>>> Thoughts? I dont want to just send in a patch changing this before I
>>> understand *exactly* what these are used for in case they break
>>> something else.
>>
>> It seems more likely that usbtty_device_t should be dropped. I don't
>> see any reason for there to be a distinction based on the underlying
>> hardware.
>>
> I was hoping more like having one label for /dev/tty0 (ie the consoles) and
> a different label for the rest (ie ttyS0, ttyACM0, ttyUSB0). In my case, I want my
> normal user to be able to access the usb-to-serial device but I see no
> reason why my user should have access to all the consoles.
>
> Dominick said fedora has something like modem_device_t for ttyACM0 which
> makes sense. Perhaps a more generic serial_device_t is better to use for
> all of them instead?
I think tty_device_t is still appropriate for all of them, since it is
possible to log in via any of those devices.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com