On Mon, 2004-08-16 at 08:56 -0400, Stephen Smalley wrote: > > Fourth, the user domain needs access to user_home_dir_t:dir. > > Should be $1_home_dir_t, right? Actually that line can be scratched entirely, I think I just had the user's home directory mislabled, obviously that part is broken. > > The fifth issue is access to /dev/pts. The comment above the patch > > should explain things. Is there a better solution here? > > If you want any protection between users, you need the separate types on > the ptys (and ttys). Modulo DAC, you mean. I think in the targeted policy we're already relying heavily on DAC for protection between users, and this isn't really different. > But as above, you are likely to increasingly find > yourself transforming the targeted policy into the strict policy to > achieve real separation, so why not just use the strict policy? I just run targeted policy on my laptop to test it, and I wanted to test my hacks to the OpenSSH patch. I guess it seemed quicker to write a patch to allow user creation in the targeted policy than to wait through two relabels :) It is a bit of a unique situation, so maybe it's not worth trying to support user creation in the targeted policy. I just thought I'd send my hack along in case it was found useful.
Attachment:
signature.asc
Description: This is a digitally signed message part
