next up previous contents
Next: 8.2 allowdev(2) Up: 8 Access control to Previous: 8 Access control to   Contents

8.1 allowdev(1)

Device files must be handled carefully. Because device files are interface to kernel. When device file is linked to driver that handles critical information, read/write to such device will lead to leak of confidential information or break of system. Following allowdev statements restricts access to device files.
  1. syntax
    1. allowdev -root directory;
  2. meaning
    By default, when allow statement is described to file, access to device files are not allowed. The directory that contains devices must be described in advance, by allowdev -root.

  3. Example
    	{ 
    	domain httpd_t;
    	allow /dev/* r,w;
    
    In above, httpd_t can access normal files under /dev, but can not access device files.
    	{ 
    	domain httpd_t;
    	allowdev -root /dev;
    	allow /dev/* r,w;
    
    In above, httpd_t can access both normal files and devices under /dev. However, in permission w, creation and remove devices are not granted unless allowpriv devcreate is described.



Yuichi Nakamura 2006-11-13