serial devices

serial devices

[Russell Coker]

Currently we have serial ports labeled at tty_device_t by default.

The problem is that serial ports are used for modems, printers, and many other 
things than terminals.  Currently the sample policy does not permit such 
access.  So cups and lpd are not granted access, and if you want to run 
minicom you have to change the context of the device (and add new policy) or 
run minicom as sysadm_t.

I have been thinking of creating a new type for non-login serial devices and 
granting pppd, cups and lpd full access to it, then the administrator would 
have the option of granting users access to it for running minicom without 
allowing them to spoof logins.

Another possibility is to have different types for the device as used by cups, 
pppd, and minicom.  Then change the contexts of serial devices to indicate 
which service they are for, but this could be painful to administer.

What do you think?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: serial devices

[Brian May]

On Sat, Oct 04, 2003 at 02:20:21PM +1000, Russell Coker wrote:
> Currently we have serial ports labeled at tty_device_t by default.
> 
> The problem is that serial ports are used for modems, printers, and many other 
> things than terminals.  Currently the sample policy does not permit such 
> access.  So cups and lpd are not granted access, and if you want to run 
> minicom you have to change the context of the device (and add new policy) or 
> run minicom as sysadm_t.
> 
> I have been thinking of creating a new type for non-login serial devices and 
> granting pppd, cups and lpd full access to it, then the administrator would 
> have the option of granting users access to it for running minicom without 
> allowing them to spoof logins.

What would happen on smaller systems like my desktop machine where I
want to use modems for dial-in and dial-out?

> Another possibility is to have different types for the device as used by cups, 
> pppd, and minicom.  Then change the contexts of serial devices to indicate 
> which service they are for, but this could be painful to administer.

This would be my preference. If I have a modem connected to the serial
port, I don't want somebody compromising cups, and then use that as a
stepping stone to make expense telephone calls at my expense...

Not that I consider this is very likely.

If its going to be difficult to aminister, I wonder if there is anything
that could be done to simplify the task?
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: serial devices

[James Morris]

On Sat, 4 Oct 2003, Russell Coker wrote:

> Another possibility is to have different types for the device as used by cups, 
> pppd, and minicom.  Then change the contexts of serial devices to indicate 
> which service they are for, but this could be painful to administer.
> 
> What do you think?

It would be good not to need to run so many things in sysadm_t, but 
complicated administration is also a security problem.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

serial devices

[Detlef Spillner]

Hi,

first: sorry for my bad english.

Can anybody give me a secret about creating permanet serial devices 
(ttyS4 ... ttyS11) in an udev system?

The user manuals are not helpfull for this case. My devices arn't 
hotplugable. If I use /dev/MAKEDEV the devices are createt in 
/dev/.static/dev. OK. Bud setserial dosn't find this devices.

THXIA


-- 
.......................................................
Detlef Spillner
GFZ GeoForschungsZentrum Potsdam, a Helmholtz Centre
-technical assistant-
Telegrafenberg
D-14473 Potsdam
Tel. ++49 (0)331 - 288 1117
Fax
e-mail: detlef.spillner@gfz-potsdam.de

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: serial devices

[Kay Sievers]

On 8/16/07, Detlef Spillner <detlef.spillner@gfz-potsdam.de> wrote:
> Can anybody give me a secret about creating permanet serial devices
> (ttyS4 ... ttyS11) in an udev system?
>
> The user manuals are not helpfull for this case. My devices arn't
> hotplugable. If I use /dev/MAKEDEV the devices are createt in
> /dev/.static/dev. OK. Bud setserial dosn't find this devices.

What's the bus these devices are coming from? A PCI card?

What does:
  udevinfo --attribute-walk --name ttyS4
print?

Kay

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel