next up previous contents
Next: 9 Access control to Up: 8 Access control to Previous: 8.1 allowdev(1)   Contents

8.2 allowdev(2)

tty devices are device files /dev/tty*, pts devices are devices under /dev/pts. tty devices represents local login terminal, and pts devices represents terminal in X and ssh terminal. These devices are linked to terminal when user logs in, or open X/ssh terminal. If you can write other users terminal device files, you can write message to his terminal. In SELinux environment, tty/pts device files are given label according to login user's role. So tty/pts device files should be treated differently in SPDL.

  1. syntax
    1. allowdev -pts|-tty|-allterm open;
    2. allowdev -pts|-tty|-allterm role [r],[w];
    3. allowdev -pts|-tty|-allterm role admin;
  2. meaning
    -tty means, tty devices. -pts means, pts devices. -allterms means both tty and pts devices.
    1. This is usually used in role section. Allow role to have its own tty/pts device. At the time of login, by login program, role's tty device file is given type role prefix_tty_device_t.
    2. Allow to read/write role's tty device.
    3. Allow to change label of tty device, and rename, unlink.
  3. Special role


next up previous contents
Next: 9 Access control to Up: 8 Access control to Previous: 8.1 allowdev(1)   Contents
Yuichi Nakamura 2006-11-13