oops.... (got tripped up on /proc).
Yeah. Your approach is better.
thanks,
tom
On Fri, 17 Sep 2004 10:32:52 -0400, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote:
> On Fri, 2004-09-17 at 10:30, Tom London wrote:
> > Then should /dev/fd (the link) be unlabeled, defaulting
> > to the general DAC? Or labeled, say, self_fd_t,
> > with a general rule allowing accesses to it?
> >
> > Could do the same for /dev/stdin, /dev/stdout, and
> > /dev/stderr.
>
> I don't see why you wouldn't just generally give search to device_t:dir
> for /dev and read to device_t:lnk_file for
> /dev/{fd,stdin,stdout,stderr}. Maintaining individual types on those
> symlinks seems overkill. BTW, unlabeled doesn't default to general DAC,
> it is inaccessible to most domains.
>
>
>
> --
> Stephen Smalley <sds@xxxxxxxxxxxxxx>
> National Security Agency
>
>
--
Tom London
