8.9 Configuring access control to devices

8.9.1 allowdev(1)

Device files must be handled carefully. Because device files are interface to kernel. When device file is linked to driver that handles critical information, read/write to such device will lead to leak of confidentical informaion or break of system. Following allowdev statements restricts access to device files.

1. syntax
   1. allowdev -root directory;
2. meaning
   By default, when allow statement is described to file, access to device files are not allowed. The directory that contains devices must be described in advance, by allowdev -root. Usually, allowdev -root /dev; in global domain is enough, because devices exist only under /dev in normal system.

3. Example
   

   	{ 
   	domain httpd_t;
   	allow /dev r,w;
   

   In above, httpd_t can acesss normal files under /dev, but can not access device files.

   	{ 
   	domain httpd_t;
   	allowdev -root /dev;
   	allow /dev r,w;
   

   In above, httpd_t can access both normal files and devices under /dev. However, in permission w, creation and remove devices are not granted unless allowpriv devcreate is described.

8.9.2 allowdev(2)

tty devices are device files /dev/tty*, pts devices are devices under /dev/pts. tty devices represents local login terminal, and pts devices represents terminal in X and ssh terminal. These devices are linked to terminal when user logs in, or open X/ssh terminal. If you can write other users terminal device files, you can write message to his terminal. In SELinux environment, tty/pts device files are given label according to login user's role. So tty/pts device files should be treated differently in SPDL.

1. syntax
   1. allowdev -pts|-tty|-allterm open;
   2. allowdev -pts|-tty|-allterm role [r],[w];
   3. allowdev -pts|-tty|-allterm role admin;
2. meaning
   -tty means, tty devices. -pts means, pts devices. -allterms means both tty and pts devices.
   1. This is usually used in role section. Allow role to have its own tty/pts device. At the time of login, by login program, role's tty device file is given type role prefix_tty_device_t.
   2. Allow to read/write role's tty device.
   3. Allow to change label of tty device, and rename, unlink.
3. Special role
   
   • general
     this means tty/pts before labeled(The type is devtty_t and tty_device_t, devpts_t, ptmx_t). Usually, access to these are harmless except admin permission.
   • global
     All other roles tty/pts
   • vcs
     This can be used only in allowdev -tty. Means vcs file(/dev/vcs*, /dev/vcsa*), these provide access to screenshot of tty terminal.