On Sat, 2004-03-27 at 20:12, Aleksey Nogin wrote: > When I run (from staff_r) things via sudo, then sometimes it turns out > that the programs I run end up not being able to communicate back to me > as they are denied access to the tty they are running on (see > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119209 for details). > > Is there some way within the SELinux framework to give programs write > access to the tty they are running on w/o giving them write access to > all the ttys of the same type? Types are security equivalence classes. So if you've placed a set of objects into a single type, then they are accessible in the same manner. Now, you can have programs transition into derived domains that preserve their call chain information, and use that to control access to types, e.g staff_t runs program foo in staff_foo_t and sysadm_t run program foo in sysadm_foo_t, and $1_foo_t only gets access to $1_devpts_t. However, in this particular case, where sudo is performing an explicit role change, I would expect that sudo would relabel the pty based on the new user domain, so it should be relabeled to sysadm_devpts_t while the command is being executed, and then reset to its original type. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency