From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 27 Oct 2014 09:49:22 -0400 Subject: [refpolicy] labels on /dev/tty.* In-Reply-To: <20141026044103.GA29668@meriadoc.omgwtfbbq> References: <20141022160939.GA5598@meriadoc.omgwtfbbq> <5448F140.6010909@tresys.com> <20141026044103.GA29668@meriadoc.omgwtfbbq> Message-ID: <544E4D62.4010206@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/26/2014 12:41 AM, Jason Zaman wrote: > On Thu, Oct 23, 2014 at 08:14:56AM -0400, Christopher J. PeBenito wrote: >> On 10/22/2014 12:09 PM, Jason Zaman wrote: >>> Hi all, >>> >>> I am confused about the labels on the tty dev nodes. I looked in refpol >>> and the only fcontext is: >>> >>> /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) >>> >>> The implications of this are that everything is labelled with >>> tty_device_t but I am pretty sure this is wrong. I have seen several >>> different types of nodes which I think should have separate labels. >>> >>> Ones that I am aware of (please add more or correct my understanding if >>> it is wrong) >>> >>> /dev/tty0 -- The consoles (eg ctrl+alt+f1) >>> /dev/ttyS -- A physical serial port >>> /dev/ttyUSB0 -- A usb-to-serial port >>> /dev/ttyACM0 -- I have seen this for both usb-to-serial on embedded >>> microcontrollers as well as 3G modems and the like. >>> /dev/usb/tty.* -- I have no idea what this is, its not on my system but >>> it is labelled usbtty_device_t in refpol. >>> >>> The label on tty0 seems correct, the label on ttyUSB0 and ttyACM0 should >>> probably be usbtty_device_t. As for what the label should be on ttyS0, I >>> am not sure. >>> >>> Thoughts? I dont want to just send in a patch changing this before I >>> understand *exactly* what these are used for in case they break >>> something else. >> >> It seems more likely that usbtty_device_t should be dropped. I don't >> see any reason for there to be a distinction based on the underlying >> hardware. >> > I was hoping more like having one label for /dev/tty0 (ie the consoles) and > a different label for the rest (ie ttyS0, ttyACM0, ttyUSB0). In my case, I want my > normal user to be able to access the usb-to-serial device but I see no > reason why my user should have access to all the consoles. > > Dominick said fedora has something like modem_device_t for ttyACM0 which > makes sense. Perhaps a more generic serial_device_t is better to use for > all of them instead? I think tty_device_t is still appropriate for all of them, since it is possible to log in via any of those devices. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com