mac_mls mac_biba mac_lomac patches to fix ptys_equal mib
support for new /dev/pts in FreeBSD 8
Selphie Keller
selphie.keller at gmail.com
Sun Mar 7 06:31:09 UTC 2010
Robert,
I have security.mac.mls.revocation_enabled set to 0, sshd was running as
mls/equal(equal-equal) and my staff user was running as mls/2(low-high) and
sshd gave the error message:
Feb 25 21:46:14 labyrinth sshd[90850]: error: /dev/pts/5: Permission denied
Feb 25 21:46:14 labyrinth sshd[90850]: error: open /dev/tty failed - could
not set controlling tty: Permission denied
where /dev/pts/5 was set as mls/low, which does seem to be a normal response
when you have a higher grade trying to write to a lower grade with mls
enforced. However, this error only occurs when a higher grade logs into the
machine with mls/2(low-high) and is trying to write to /dev/pts/* with
mls/low, when a insecure user logs in as mls/low(low-low) errors are not
seen or if the user is exempted as mls/equal(equal-equal).
I can recompile the module without the patch and regress it back to try and
recreate the issues, if needed.
-Selphie
-----Original Message-----
From: Robert Watson [mailto:rwatson at FreeBSD.org]
Sent: Saturday, March 06, 2010 8:53 AM
To: Selphie Keller
Cc: freebsd-hackers at freebsd.org
Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib
support for new /dev/pts in FreeBSD 8
On Tue, 2 Mar 2010, Selphie Keller wrote:
> - (2) Could you let me know how your login.conf + user labels are
> configured, and show me the output of "ps -axZ | grep sshd"?
>
> /etc/login.conf label configurations I use
>
> Staff users: label=mls/2(low-high)
> Deamons: label=mls/equal(equal-equal)
> Insecure users: label=mls/low(low-low)
>
> If you need the exact data from login.conf I can provide it, but is a bit
> tricky as I use tc= to call from one class to another class and override,
in
> which default class is mls/low.
Am I right in thinking that you have security.mac.biba.revocation_enabled
and/or security.mac.mls.revocation_enabled set? Revocation being enabled
might explain why you're seeing this issue, but other users aren't reporting
problems.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-hackers
mailing list