Re: dmesg avcs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 06 March 2004 10:15 pm, Russell Coker wrote:
> This should not be possible.  You should only be able to enter the dmesg_t
> domain from sysadm_t, anaconda_t, or initrc_t.  None of those domains
> should have a terminal labeled with user_devpts_t open at the time.
>
> How exactly are you running dmesg?  What is the context of the program that
> runs it?

start konsole.  su - to root.  run dmesg.  the output from ps -e --context for 
the bash shell:

2011 root:sysadm_r:sysadm_t                   -bash

> We don't want dmesg_t programs to be under the control of user_t programs. 
> If dmesg_t can be reached from user_t and can access it's terminals then
> user_t has a chance at getting sys_admin capability (if the user_r user in
> question has UID==0).  sys_admin capability should give full control of the
> machine.

ok.  i should do more reading on how the rules and domain transitions 
function.

josh



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux