From owner-freebsd-hackers@FreeBSD.ORG Sun Mar 7 06:31:09 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED1611065670; Sun, 7 Mar 2010 06:31:08 +0000 (UTC) (envelope-from selphie.keller@gmail.com) Received: from mail-pz0-f196.google.com (mail-pz0-f196.google.com [209.85.222.196]) by mx1.freebsd.org (Postfix) with ESMTP id B20E08FC15; Sun, 7 Mar 2010 06:31:08 +0000 (UTC) Received: by pzk34 with SMTP id 34so593366pzk.3 for ; Sat, 06 Mar 2010 22:31:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:subject :date:message-id:mime-version:content-type:content-transfer-encoding :x-mailer:in-reply-to:x-mimeole:thread-index; bh=WGCVuUSe1Hlmax1Km2Jl7RXMT9ps1f2E27dASMoiZ88=; b=ATgETb6sQ/a9v9/qmQTOtpFLjI22sF/rExMNBwoXpQXZCETvTy9q+fImn+EHqJDGpB vQ3kIZG7kwj0wvVUwgPQth/CaLcyBh0ZgeUWIHkVcSie65w4uu5JKmGv2bAtd3w7gdvB pp7/xy0+3SFGIV/5kQElgrwd8C8yZOdUJ+4oo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:subject:date:message-id:mime-version :content-type:content-transfer-encoding:x-mailer:in-reply-to :x-mimeole:thread-index; b=O8P6vZIJtXgNSHiXHYU/Ehateq6deCcyP4zeQ/vtJhwZ9GnhycXrvCbAOxGlTEH7Rs NJvPyBUxjvKdvKJrCge9cKWwajvZ4cVA1mnTlMriBLtDNwnfmF74uipMAT7iReTlJs2+ 2fqc4RRwZBZNi9geMh822Bs99ApQLXphQVoRM= Received: by 10.141.107.12 with SMTP id j12mr2063944rvm.181.1267943468279; Sat, 06 Mar 2010 22:31:08 -0800 (PST) Received: from 2WIRE304 (c-69-181-16-61.hsd1.ca.comcast.net [69.181.16.61]) by mx.google.com with ESMTPS id 23sm3331110pzk.14.2010.03.06.22.31.06 (version=SSLv3 cipher=RC4-MD5); Sat, 06 Mar 2010 22:31:06 -0800 (PST) From: Selphie Keller To: "'Robert Watson'" References: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304> Date: Sat, 6 Mar 2010 22:31:07 -0800 Message-ID: <579475BD01D74701A452FF632CA8BF98@2WIRE304> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Thread-Index: Acq9TXZlhY62huVjTXSZngHCtKRswgAcEwrw Cc: freebsd-hackers@freebsd.org Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 06:31:09 -0000 Robert, I have security.mac.mls.revocation_enabled set to 0, sshd was running as mls/equal(equal-equal) and my staff user was running as mls/2(low-high) and sshd gave the error message: Feb 25 21:46:14 labyrinth sshd[90850]: error: /dev/pts/5: Permission denied Feb 25 21:46:14 labyrinth sshd[90850]: error: open /dev/tty failed - could not set controlling tty: Permission denied where /dev/pts/5 was set as mls/low, which does seem to be a normal response when you have a higher grade trying to write to a lower grade with mls enforced. However, this error only occurs when a higher grade logs into the machine with mls/2(low-high) and is trying to write to /dev/pts/* with mls/low, when a insecure user logs in as mls/low(low-low) errors are not seen or if the user is exempted as mls/equal(equal-equal). I can recompile the module without the patch and regress it back to try and recreate the issues, if needed. -Selphie -----Original Message----- From: Robert Watson [mailto:rwatson@FreeBSD.org] Sent: Saturday, March 06, 2010 8:53 AM To: Selphie Keller Cc: freebsd-hackers@freebsd.org Subject: RE: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 On Tue, 2 Mar 2010, Selphie Keller wrote: > - (2) Could you let me know how your login.conf + user labels are > configured, and show me the output of "ps -axZ | grep sshd"? > > /etc/login.conf label configurations I use > > Staff users: label=mls/2(low-high) > Deamons: label=mls/equal(equal-equal) > Insecure users: label=mls/low(low-low) > > If you need the exact data from login.conf I can provide it, but is a bit > tricky as I use tc= to call from one class to another class and override, in > which default class is mls/low. Am I right in thinking that you have security.mac.biba.revocation_enabled and/or security.mac.mls.revocation_enabled set? Revocation being enabled might explain why you're seeing this issue, but other users aren't reporting problems. Robert N M Watson Computer Laboratory University of Cambridge