Pseudo-terminal devices (PTYs) are automatically allocated special device files that operate in controller/slave pairs. A process opening one member of a pair communicates with a process opening the other member of the pair. The PTY pair emulates a terminal interface. PTYs are used for cmdtool windows and to support remote login services. Discretionary and mandatory access controls are enforced when the PTY is opened.
If neither the slave nor the controller device is already open, the device special files for both devices are modified to set their user ID and sensitivity label to the opening process's effective user ID and sensitivity label with permission bits initialized to 600.
If either the slave or the controller device is already open, discretionary and mandatory access controls use the user ID, permission bits, and sensitivity label already set on the device special file.
Data written to the controller device is read from the slave device after undergoing terminal input processing such as erase/kill. Data written to the slave device is read from the controller device after undergoing terminal output processing such as NL to CR-LF translation. The mandatory access policy to read from and write to a PTY is read-down and write-up. See the appropriate man page for specific information on security policy and applicable privileges.