[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NSA SE enabled devfsd

Russell Coker writes:
> I have hacked support for SE Linux into devfsd.
> For example the following line in a devfsd config will set the SID of 
> /dev/null:
> REGISTER ^null                  SELINUX system_u:object_r:null_device_t
> If the devfsd sees that you are not running an SE kernel, or if you compile 
> the devfsd without SE Linux support then the SELINUX "what" actions will be 
> silently ignored for compatability.
> The file selinux-config on my site has all the sample /dev policy converted 
> to the format my hacked devfsd uses.
> The file devfsd-se.diff is the diff between the non-SE and the SE versions of 
> devfsd, it was created against the Debian patched devfsd package, but should 
> apply to a clean devfsd tree.
> There is also full source to devfsd, Debian package source, and a Debian 
> package.
> The URL is http://www.coker.com.au/selinux/devfsd/
> To the NSA people: please do not put any of this code on your site
> or take any formal notice of it yet.  Richard should be given a
> chance to review it before we go any further (he may require small
> but problematic changes such as a different "what" keyword).

Even though there's not an awful lot of code to support this, I'm
still unhappy about the #ifdef's. As I said back in January: I'd much
rather see this done using an extension and GNUmakefile magic to
automatically compile the extension as appropriate. Why not do it that

BTW: why "FLASK"?


Permanent: rgooch@atnf.csiro.au
Current:   rgooch@ras.ucalgary.ca

Reply to: