NSA SE enabled devfsd
I have hacked support for SE Linux into devfsd.
For example the following line in a devfsd config will set the SID of
/dev/null:
REGISTER ^null SELINUX system_u:object_r:null_device_t
If the devfsd sees that you are not running an SE kernel, or if you compile
the devfsd without SE Linux support then the SELINUX "what" actions will be
silently ignored for compatability.
The file selinux-config on my site has all the sample /dev policy converted
to the format my hacked devfsd uses.
The file devfsd-se.diff is the diff between the non-SE and the SE versions of
devfsd, it was created against the Debian patched devfsd package, but should
apply to a clean devfsd tree.
There is also full source to devfsd, Debian package source, and a Debian
package.
The URL is http://www.coker.com.au/selinux/devfsd/
To the NSA people: please do not put any of this code on your site or take
any formal notice of it yet. Richard should be given a chance to review it
before we go any further (he may require small but problematic changes such
as a different "what" keyword).
At the moment this is just a proof of concept.
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
Reply to: