On Saturday 06 March 2004 10:15 pm, Russell Coker wrote: > This should not be possible. You should only be able to enter the dmesg_t > domain from sysadm_t, anaconda_t, or initrc_t. None of those domains > should have a terminal labeled with user_devpts_t open at the time. > > How exactly are you running dmesg? What is the context of the program that > runs it? start konsole. su - to root. run dmesg. the output from ps -e --context for the bash shell: 2011 root:sysadm_r:sysadm_t -bash > We don't want dmesg_t programs to be under the control of user_t programs. > If dmesg_t can be reached from user_t and can access it's terminals then > user_t has a chance at getting sys_admin capability (if the user_r user in > question has UID==0). sys_admin capability should give full control of the > machine. ok. i should do more reading on how the rules and domain transitions function. josh
