mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8

Selphie Keller selphie.keller at gmail.com
Sun Mar 7 06:31:09 UTC 2010 

Robert,

I have security.mac.mls.revocation_enabled set to 0, sshd was running as
mls/equal(equal-equal) and my staff user was running as mls/2(low-high) and
sshd gave the error message: 

Feb 25 21:46:14 labyrinth sshd[90850]: error: /dev/pts/5: Permission denied
Feb 25 21:46:14 labyrinth sshd[90850]: error: open /dev/tty failed - could
not set controlling tty: Permission denied

where /dev/pts/5 was set as mls/low, which does seem to be a normal response
when you have a higher grade trying to write to a lower grade with mls
enforced. However, this error only occurs when a higher grade logs into the
machine with mls/2(low-high) and is trying to write to /dev/pts/* with
mls/low, when a insecure user logs in as mls/low(low-low) errors are not
seen or if the user is exempted as mls/equal(equal-equal).

I can recompile the module without the patch and regress it back to try and
recreate the issues, if needed. 

-Selphie

-----Original Message-----
From: Robert Watson [mailto:rwatson at FreeBSD.org] 
Sent: Saturday, March 06, 2010 8:53 AM
To: Selphie Keller
Cc: freebsd-hackers at freebsd.org
Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib
support for new /dev/pts in FreeBSD 8


On Tue, 2 Mar 2010, Selphie Keller wrote:

> - (2) Could you let me know how your login.conf + user labels are
> configured, and show me the output of "ps -axZ | grep sshd"?
>
> /etc/login.conf label configurations I use
>
> Staff users: label=mls/2(low-high)
> Deamons: label=mls/equal(equal-equal)
> Insecure users: label=mls/low(low-low)
>
> If you need the exact data from login.conf I can provide it, but is a bit 
> tricky as I use tc= to call from one class to another class and override,
in 
> which default class is mls/low.

Am I right in thinking that you have security.mac.biba.revocation_enabled 
and/or security.mac.mls.revocation_enabled set?  Revocation being enabled 
might explain why you're seeing this issue, but other users aren't reporting

problems.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-hackers mailing list