Re: NSA SE enabled devfsd
Russell Coker writes:
> I have hacked support for SE Linux into devfsd.
>
> For example the following line in a devfsd config will set the SID of
> /dev/null:
> REGISTER ^null SELINUX system_u:object_r:null_device_t
>
> If the devfsd sees that you are not running an SE kernel, or if you compile
> the devfsd without SE Linux support then the SELINUX "what" actions will be
> silently ignored for compatability.
>
> The file selinux-config on my site has all the sample /dev policy converted
> to the format my hacked devfsd uses.
>
> The file devfsd-se.diff is the diff between the non-SE and the SE versions of
> devfsd, it was created against the Debian patched devfsd package, but should
> apply to a clean devfsd tree.
>
> There is also full source to devfsd, Debian package source, and a Debian
> package.
>
> The URL is http://www.coker.com.au/selinux/devfsd/
>
> To the NSA people: please do not put any of this code on your site
> or take any formal notice of it yet. Richard should be given a
> chance to review it before we go any further (he may require small
> but problematic changes such as a different "what" keyword).
Even though there's not an awful lot of code to support this, I'm
still unhappy about the #ifdef's. As I said back in January: I'd much
rather see this done using an extension and GNUmakefile magic to
automatically compile the extension as appropriate. Why not do it that
way?
BTW: why "FLASK"?
Regards,
Richard....
Permanent: rgooch@atnf.csiro.au
Current: rgooch@ras.ucalgary.ca
Reply to: