PERFORCE change 5831 for review
Stephen Smalley
sds at tislabs.com
Fri Jan 25 15:44:39 GMT 2002
> label ranges, but the tty as an fs object only has _single elements.
> Also, we need to find some way for TE to know what label to stick on the
> tty, although I'm not sure what that is. We should probably investigate
> how SELinux handles it -- probably a userland policy file or something.
The SELinux kernel provides an API call (security_change_sid) that returns
the new label to use when relabeling an object based on the label of a
process, the current label of the object, and the security class of the
object. Applications such as login and sshd use this call to obtain the
new label for the tty, passing the label that will be used for the user
process and the original label of the tty. This permits the label of the
tty to incorporate both security characteristics of the user process and
security characteristics of the particular tty object. The TE
configuration specifies type_change rules that are used to compute the
type for these labels, based on the domain of the user process and the
initial type of the tty node.
--
Stephen D. Smalley, NAI Labs
ssmalley at nai.com
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list