From owner-freebsd-hackers@FreeBSD.ORG  Tue Mar  2 11:32:20 2010
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8EC861065674
	for <freebsd-hackers@freebsd.org>; Tue,  2 Mar 2010 11:32:20 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 69CC08FC17
	for <freebsd-hackers@freebsd.org>; Tue,  2 Mar 2010 11:32:20 +0000 (UTC)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id E680E46B35;
	Tue,  2 Mar 2010 06:32:19 -0500 (EST)
Date: Tue, 2 Mar 2010 11:32:19 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Estella Mystagic <estella@mystagic.com>
In-Reply-To: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304>
Message-ID: <alpine.BSF.2.00.1003021120450.48144@fledge.watson.org>
References: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org
Subject: Re: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support
 for new /dev/pts in FreeBSD 8
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 11:32:20 -0000


On Mon, 1 Mar 2010, Estella Mystagic wrote:

> Found issues with sysctl mibs security.mac.biba.ptys_equal, 
> security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting 
> new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
>
> When using a higher security grade/clearance with mac_mls it prevents 
> writing to the /dev/pts/5 as its set as mls/low and subjects may not write 
> to objects with a lower classification level than its own clearance level.
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could 
> not set controlling tty: Permission denied

Hi Selphie:

Thanks for this patch.  I'll go ahead and merge it, but had two questions:

(1) It looks like you didn't need to set any special label on /dev/ptmx
     itself?

(2) Could you let me know how your login.conf + user labels are configured,
     and show me the output of "ps -axZ | grep sshd"?

We need to rethink how we deal with ttys anyway, and I'd like to understand 
how the specific case you're running into comes about.

Robert N M Watson
Computer Laboratory
University of Cambridge