From: russell@coker.com.au (Russell Coker) Date: Tue, 4 Apr 2017 17:47:43 +1000 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <20170404072328.GA10685@t450.enp8s0.d30> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> <20170404072328.GA10685@t450.enp8s0.d30> Message-ID: <201704041747.43564.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 4 Apr 2017 05:23:28 PM Dominick Grift via refpolicy wrote: > > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc > > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc > > @@ -14,6 +14,7 @@ > > > > /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) > > /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) > > /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) > > > > +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) > > This is probably going to cause issues. This file will be created with > devpts_t (there is no other way) and so you will have to rely on early > relabeling of /dev/pts to get this done Not all systems relabel /dev(/pts) > early on. That will only be an issue on systems that don't relabel it early enough and don't create a /dev/ptmx device node. Such systems wouldn't work properly with the current policy, so probably don't exist. In this case "early enough" means "before the first inbound ssh connection". > So you might end up with devpts_t on some systems and ptmx_t on > others. (inconsistency) Actually we have inconsistency right now with /dev/ptmx and /dev/pts/ptmx having different labels. My patch solves the inconsistency. > Leaving it devpts_t will atleast allow you to rely on the labeling to be > consistent, and since that is the only file that will ever legitimately > end up devpts_t that should not be a problem If we are going to take that approach then we should make ptmx_t an alias for devpts_t and label /dev/ptmx as devpts_t. Chris, what do you think? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/