On Wed, 2007-07-18 at 18:15 -0700, Casey Schaufler wrote: > --- Joshua Brindle <[EMAIL PROTECTED]> wrote: > > > Casey Schaufler wrote: > > > ... > > > > > > I do have a hackish newsmack command, which I should probably include. > > > All it does is write the new label to /proc/self/attr/current and > > > exec the desired program. That's not good enough for a production > > > system because of the well known pty, tty, and open files issues, > > > but fine for development purposes. > > > > > > > Right, I'd like to see how you solve those problems :) > > Me too. Especially with devpts "out of bounds". I have some ideas, > but I don't know whether they're good ones yet.
I'm not sure what you mean by the above. In selinux, we label the ptys with a label derived from the allocating task at creation time (handled by d_instantiate hook), and then let userspace relabel them as appropriate based for the user session label for login/sshd and newrole. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
