Re: NSA SE enabled devfsd

[Richard Gooch <rgooch@ras.ucalgary.ca>]

Russell Coker writes:
> I have hacked support for SE Linux into devfsd.
> 
> For example the following line in a devfsd config will set the SID of 
> /dev/null:
> REGISTER ^null                  SELINUX system_u:object_r:null_device_t
> 
> If the devfsd sees that you are not running an SE kernel, or if you compile 
> the devfsd without SE Linux support then the SELINUX "what" actions will be 
> silently ignored for compatability.
> 
> The file selinux-config on my site has all the sample /dev policy converted 
> to the format my hacked devfsd uses.
> 
> The file devfsd-se.diff is the diff between the non-SE and the SE versions of 
> devfsd, it was created against the Debian patched devfsd package, but should 
> apply to a clean devfsd tree.
> 
> There is also full source to devfsd, Debian package source, and a Debian 
> package.
> 
> The URL is http://www.coker.com.au/selinux/devfsd/
> 
> To the NSA people: please do not put any of this code on your site
> or take any formal notice of it yet.  Richard should be given a
> chance to review it before we go any further (he may require small
> but problematic changes such as a different "what" keyword).

Even though there's not an awful lot of code to support this, I'm
still unhappy about the #ifdef's. As I said back in January: I'd much
rather see this done using an extension and GNUmakefile magic to
automatically compile the extension as appropriate. Why not do it that
way?

BTW: why "FLASK"?

				Regards,

					Richard....
Permanent: rgooch@atnf.csiro.au
Current:   rgooch@ras.ucalgary.ca