mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support
for new /dev/pts in FreeBSD 8
Robert Watson
rwatson at FreeBSD.org
Tue Mar 2 11:32:20 UTC 2010
On Mon, 1 Mar 2010, Estella Mystagic wrote:
> Found issues with sysctl mibs security.mac.biba.ptys_equal,
> security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting
> new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
>
> When using a higher security grade/clearance with mac_mls it prevents
> writing to the /dev/pts/5 as its set as mls/low and subjects may not write
> to objects with a lower classification level than its own clearance level.
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
> not set controlling tty: Permission denied
Hi Selphie:
Thanks for this patch. I'll go ahead and merge it, but had two questions:
(1) It looks like you didn't need to set any special label on /dev/ptmx
itself?
(2) Could you let me know how your login.conf + user labels are configured,
and show me the output of "ps -axZ | grep sshd"?
We need to rethink how we deal with ttys anyway, and I'd like to understand
how the specific case you're running into comes about.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-hackers
mailing list