Date: Tue, 2 Mar 2010 11:32:19 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Estella Mystagic <estella@mystagic.com> Cc: freebsd-hackers@freebsd.org Subject: Re: mac_mls mac_biba mac_lomac patches to fix ptys_equal mib support for new /dev/pts in FreeBSD 8 Message-ID: <alpine.BSF.2.00.1003021120450.48144@fledge.watson.org> In-Reply-To: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304> References: <2BD4195B78BE4E4E9F4953B3196590E3@2WIRE304>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Mar 2010, Estella Mystagic wrote:
> Found issues with sysctl mibs security.mac.biba.ptys_equal,
> security.mac.lomac.ptys_equal, security.mac.mls.ptys_equal, not supporting
> new /dev/pts terminal system in FreeBSD 8, proposed fix for issue.
>
> When using a higher security grade/clearance with mac_mls it prevents
> writing to the /dev/pts/5 as its set as mls/low and subjects may not write
> to objects with a lower classification level than its own clearance level.
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: /dev/pts/5: Permission denied
>
> Feb 25 21:42:16 labyrinth sshd[30965]: error: open /dev/tty failed - could
> not set controlling tty: Permission denied
Hi Selphie:
Thanks for this patch. I'll go ahead and merge it, but had two questions:
(1) It looks like you didn't need to set any special label on /dev/ptmx
itself?
(2) Could you let me know how your login.conf + user labels are configured,
and show me the output of "ps -axZ | grep sshd"?
We need to rethink how we deal with ttys anyway, and I'd like to understand
how the specific case you're running into comes about.
Robert N M Watson
Computer Laboratory
University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1003021120450.48144>