Next: 9 Access control to
Up: 8 Access control to
Previous: 8.1 allowdev(1)
Contents
tty devices are device files /dev/tty*, pts devices are devices under
/dev/pts. tty devices represents local login terminal, and pts devices
represents terminal in X and ssh terminal. These devices are linked to
terminal when user logs in, or open X/ssh terminal. If you can write
other users terminal device files, you can write message to his
terminal.
In SELinux environment, tty/pts device files are given label according to
login user's role.
So tty/pts device files should be treated differently in SPDL.
- syntax
- allowdev -pts|-tty|-allterm open;
- allowdev -pts|-tty|-allterm role [r],[w];
- allowdev -pts|-tty|-allterm role admin;
- meaning
-tty means, tty devices. -pts means, pts devices. -allterms means
both tty and pts devices.
- This is usually used in role section. Allow role to have
its own tty/pts device. At the time of login, by login
program, role's tty device file is given type role prefix_tty_device_t.
- Allow to read/write role's tty
device.
- Allow to change label of tty device, and rename, unlink.
- Special role
- general
this means tty/pts before labeled(The type is devtty_t
and tty_device_t, devpts_t, ptmx_t). Usually, access
to these are harmless except admin permission.
- all
All other roles tty/pts
- vcs
This can be used only in allowdev -tty. Means vcs file(/dev/vcs*, /dev/vcsa*), these provide access to screen-shot of tty terminal.
Next: 9 Access control to
Up: 8 Access control to
Previous: 8.1 allowdev(1)
Contents
Yuichi Nakamura
2006-11-13