Date: Sat, 6 Mar 2010 22:31:07 -0800 From: Selphie Keller <selphie.keller@gmail.com> To: "'Robert Watson'" <rwatson@FreeBSD.org> Cc: freebsd-hackers@freebsd.org Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 Message-ID: <579475BD01D74701A452FF632CA8BF98@2WIRE304> In-Reply-To: <alpine.BSF.2.00.1003061650440.59375@fledge.watson.org> References: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304> <alpine.BSF.2.00.1003021120450.48144@fledge.watson.org> <EAB3F73201B9443D81524724BA9777FD@2WIRE304> <alpine.BSF.2.00.1003061650440.59375@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert, I have security.mac.mls.revocation_enabled set to 0, sshd was running as mls/equal(equal-equal) and my staff user was running as mls/2(low-high) and sshd gave the error message: Feb 25 21:46:14 labyrinth sshd[90850]: error: /dev/pts/5: Permission denied Feb 25 21:46:14 labyrinth sshd[90850]: error: open /dev/tty failed - could not set controlling tty: Permission denied where /dev/pts/5 was set as mls/low, which does seem to be a normal response when you have a higher grade trying to write to a lower grade with mls enforced. However, this error only occurs when a higher grade logs into the machine with mls/2(low-high) and is trying to write to /dev/pts/* with mls/low, when a insecure user logs in as mls/low(low-low) errors are not seen or if the user is exempted as mls/equal(equal-equal). I can recompile the module without the patch and regress it back to try and recreate the issues, if needed. -Selphie -----Original Message----- From: Robert Watson [mailto:rwatson@FreeBSD.org] Sent: Saturday, March 06, 2010 8:53 AM To: Selphie Keller Cc: freebsd-hackers@freebsd.org Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 On Tue, 2 Mar 2010, Selphie Keller wrote: > - (2) Could you let me know how your login.conf + user labels are > configured, and show me the output of "ps -axZ | grep sshd"? > > /etc/login.conf label configurations I use > > Staff users: label=mls/2(low-high) > Deamons: label=mls/equal(equal-equal) > Insecure users: label=mls/low(low-low) > > If you need the exact data from login.conf I can provide it, but is a bit > tricky as I use tc= to call from one class to another class and override, in > which default class is mls/low. Am I right in thinking that you have security.mac.biba.revocation_enabled and/or security.mac.mls.revocation_enabled set? Revocation being enabled might explain why you're seeing this issue, but other users aren't reporting problems. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?579475BD01D74701A452FF632CA8BF98>