Hi SELinux experts,
Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain?
[root/sysadm_r/s0 at cp3020 ~]# date +%T
23:24:07
[root/sysadm_r/s0 at cp3020 ~]# vlock
[root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
Password:
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
[root/sysadm_r/s0 at cp3020 ~]#
As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below:
[root/sysadm_r/s0 at cp3020 ~]# vlock
*** This tty is not a VC (virtual console). ***
*** It may not be securely locked. ***
This TTY is now locked.
Please enter the password to unlock.
root's Password:
[root/sysadm_r/s0 at cp3020 ~]#
So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure?
Thanks again!
Best regards,
Harry
----------
policy_module(vlock, 1.0.0)
########################################
#
# Declarations
#
type vlock_t;
type vlock_exec_t;
application_domain(vlock_t,vlock_exec_t)
########################################
#
# Vlock local policy
#
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:unix_dgram_socket { create connect };
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
kernel_read_system_state(vlock_t)
corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)
files_read_etc_files(vlock_t)
files_read_var_files(vlock_t)
files_read_var_symlinks(vlock_t)
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
miscfiles_read_localization(vlock_t)
logging_send_syslog_msg(vlock_t)
selinux_getattr_fs(vlock_t)
????? Windows Live Messenger ???????? ?????
_________________________________________________________________
MSN????????????????25???????????2010?????????
http://kaba.msn.com.cn/?k=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/63693348/attachment.html
On 03/10/2010 10:15 PM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thank you for reading my email, I am trying to write a SELinux pp for
> the vlock program(Virtual Console Locking program), so far I gets no
> more AVC denied messages in permissive mode and only one USER_AUTH
> failure message in Enforcing mode, what interface should I have added
> for the vlock_t domain?
>
> [root/sysadm_r/s0 at cp3020 ~]# date +%T
> 23:24:07
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
> -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
> Password:
> ----
> time->Wed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> ----
> time->W ed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> [root/sysadm_r/s0 at cp3020 ~]#
>
> As you can see, in Enforcing mode the vlock just exits silently. If in
> permissive mode, the vlock program could be run successfully like below:
>
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> *** This tty is not a VC (virtual console). ***
> *** It may not be securely locked. ***
>
> This TTY is now locked.
> Please enter the password to unlock.
> root's Password:
> [root/sysadm_r/s0 at cp3020 ~]#
>
> So the problem must be rooted in my vlock.pp, the .te file is attached
> at the bottom, how should I address above USER_AUTH failure?
> *Thanks again!
>
> Best regards,
> Harry
>
>
> ----------
>
>
> policy_module(vlock, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type vlock_t;
> type vlock_exec_t;
> application_domain(vlock_t,vlock_exec_t)
>
>
> ########################################
> #
> # Vlock local policy
> #
>
> allow vlock_t self:fd use;
> allow vlock_t self:fifo_file rw_fifo_file_perms;
> allow vlock_t self:unix_dgram_socket { create connect };
> allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
> nlmsg_relay };
>
> kernel_read_system_state(vlock_t)
>
> corecmd_list_bin(vlock_t)
> corecmd_read_bin_symlinks(vlock_t)
>
> files_read_etc_files(vlock_t)
> files_read_var_files(vlock_t)
> files_read_var_symlinks(vlock_t)
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
>
> auth_domtrans_chk_passwd(vlock_t)
>
> miscfiles_read_localization(vlock_t)
>
> logging_send_sy slog_msg(vlock_t)
>
> selinux_getattr_fs(vlock_t)
>
>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>*
> *
> *
>
> *
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> *
semodule -DB
Will turn off the dontaudit rules. From the error it looks like you have
a problem accessing the terminal.
ls -lZ `tty`
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/a4d3a7d4/attachment.html
Date: Thu, 11 Mar 2010 08:24:11 -0500
From: [email protected]
To: harrytaurus2002 at hotmail.com
CC: refpolicy at oss1.tresys.com
Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure?
On 03/10/2010 10:15 PM, TaurusHarry wrote:
Hi SELinux experts,
Thank you for reading my email, I am trying to write a SELinux pp for
the vlock program(Virtual Console Locking program), so far I gets no
more AVC denied messages in permissive mode and only one USER_AUTH
failure message in Enforcing mode, what interface should I have added
for the vlock_t domain?
[root/sysadm_r/s0 at cp3020 ~]# date +%T
23:24:07
[root/sysadm_r/s0 at cp3020 ~]# vlock
[root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
-- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
Password:
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
----
time->W ed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
[root/sysadm_r/s0 at cp3020 ~]#
As you can see, in Enforcing mode the vlock just exits silently. If in
permissive mode, the vlock program could be run successfully like below:
[root/sysadm_r/s0 at cp3020 ~]# vlock
*** This tty is not a VC (virtual console). ***
*** It may not be securely locked. ***
This TTY is now locked.
Please enter the password to unlock.
root's Password:
[root/sysadm_r/s0 at cp3020 ~]#
So the problem must be rooted in my vlock.pp, the .te file is attached
at the bottom, how should I address above USER_AUTH failure?
Thanks again!
Best regards,
Harry
----------
policy_module(vlock, 1.0.0)
########################################
#
# Declarations
#
type vlock_t;
type vlock_exec_t;
application_domain(vlock_t,vlock_exec_t)
########################################
#
# Vlock local policy
#
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:unix_dgram_socket { create connect };
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
kernel_read_system_state(vlock_t)
corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)
files_read_etc_files(vlock_t)
files_read_var_files(vlock_t)
files_read_var_symlinks(vlock_t)
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
miscfiles_read_localization(vlock_t)
logging_send_sy slog_msg(vlock_t)
selinux_getattr_fs(vlock_t)
????? Windows Live Messenger ???????? ???
??
????? Windows Live Messenger ???????? ?????
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
semodule -DB
Will turn off the dontaudit rules. From the error it looks like you
have a problem accessing the terminal.
ls -lZ `tty`
Many thanks Daniel, then I added the call to the userdom_use_user_terminals() interface for the vlock_t domain and verified that vlock_t has enough access rights on the tty device:
[root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
[root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t
Found 1 semantic av rules:
allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open } ;
[root/secadm_r/s0 at cp3020 ~]#
However, unfortunately, I still get following USER_AUTH message with "terminal=?":
type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
So far I have called the following three interfaces related with terminal for vlock_t:
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
userdom_use_user_terminals(vlock_t)
What else could I have missed? From the log of some other program such as run_init_t, I can see its USER_AUTH message is a success with terminal=pts/1, and only the userdom_use_user_terminals() interface has been called for run_init_t, I really don't get it why this same interface won't work for vlock_t.
BTW, I have tried semodule -DB, but there is no more other AVC denied messages in the permissive mode and I could only get the above one USER_AUTH message in enforcing mode, so it seems I have to get over this USER_AUTH failure before I could move on to somewhere else.
Thanks again!
Harry
_________________________________________________________________
?????????Windows Live?????????
http://windowslivesky.spaces.live.com/blog/cns!5892B6048E2498BD!889.entry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/cba1bdfa/attachment.html
On 03/11/2010 10:24 PM, TaurusHarry wrote:
>
>
> ------------------------------------------------------------------------
> Date: Thu, 11 Mar 2010 08:24:11 -0500
> From: dwalsh at redhat.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication
> failure?
>
> On 03/10/2010 10:15 PM, TaurusHarry wrote:
>
> Hi SELinux experts,
>
> Thank you for reading my email, I am trying to write a SELinux pp
> for the vlock program(Virtual Console Locking program), so far I
> gets no more AVC denied messages in permissive mode and only one
> USER_AUTH failure message in Enforcing mode, what interface should
> I have added for the vlock_t domain?
>
> [root/sysadm_r/s0 at cp3020 ~]# date +%T
> 23:24:07
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255
> -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
> Password:
> ----
> time->Wed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758
> uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> ----
> time->W ed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758
> uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> [root/sysadm_r/s0 at cp3020 ~]#
>
> As you can see, in Enforcing mode the vlock just exits silently.
> If in permissive mode, the vlock program could be run successfully
> like below:
>
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> *** This tty is not a VC (virtual console). ***
> *** It may not be securely locked. ***
>
> This TTY is now locked.
> Please enter the password to unlock.
> root's Password:
> [root/sysadm_r/s0 at cp3020 ~]#
>
> So the problem must be rooted in my vlock.pp, the .te file is
> attached at the bottom, how should I address above USER_AUTH failure?
> *Thanks again!
>
> Best regards,
> Harry
>
>
> ----------
>
>
> policy_module(vlock, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type vlock_t;
> type vlock_exec_t;
> application_domain(vlock_t,vlock_exec_t)
>
>
> ########################################
> #
> # Vlock local policy
> #
>
> allow vlock_t self:fd use;
> allow vlock_t self:fifo_file rw_fifo_file_perms;
> allow vlock_t self:unix_dgram_socket { create connect };
> allow vlock_t self:netlink_audit_socket {
> create_netlink_socket_perms nlmsg_relay };
>
> kernel_read_system_state(vlock_t)
>
> corecmd_list_bin(vlock_t)
> corecmd_read_bin_symlinks(vlock_t)
>
> files_read_etc_files(vlock_t)
> files_read_var_files(vlock_t)
> files_read_var_symlinks(vlock_t)
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
>
> auth_domtrans_chk_passwd(vlock_t)
>
> miscfiles_read_localization(vlock_t)
>
> logging_send_sy slog_msg(vlock_t)
>
> selinux_getattr_fs(vlock_t)
>
>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>*
>
> *
> *
>
> *
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com <mailto:[email protected]>
> http://oss.tresys.com/mailman/listinfo/refpolicy
> *
>
> semodule -DB
>
> Will turn off the dontaudit rules. From the error it looks like you
> have a problem accessing the terminal.
>
> ls -lZ `tty`
>
>
> Many thanks Daniel, then I added the call to the
> userdom_use_user_terminals() interface for the vlock_t domain and
> verified that vlock_t has enough access rights on the tty device:
>
> [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
> crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
> [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t
> Found 1 semantic av rules:
> allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open
> } ;
>
> [root/secadm_r/s0 at cp3020 ~]#
>
> However, unfortunately, I still get following USER_AUTH message with
> "terminal=?":
>
> type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
>
> So far I have called the following three interfaces related with
> terminal for vlock_t:!
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
> userdom_use_user_terminals(vlock_t)
>
> What else could I have missed? From the log of some other program such
> as run_init_t, I can see its USER_AUTH message is a success with
> terminal=pts/1, and only the userdom_use_user_terminals() interface
> has been called for run_init_t, I really don't get it why this same
> interface won't work for vlock_t.
>
> BTW, I have tried semodule -DB, but there is no more other AVC denied
> messages in the permissive mode and I could only get the above one
> USER_AUTH message in enforcing mode, so it seems I have to get over
> this USER_AUTH failure before I could move on to somewhere else.
>
> Thanks again!
> Harry
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> ??Messenger???2.0????????? ??????
> <http://www.windowslive.cn/safe/>
USER_AUTH is not an SELinux error message. It indicates that for what
ever reason you PAM session failed.
type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?,
addr=?, terminal=? res=failed)'
'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed
If this only happens in Enforcing mode then it could be an SELinux
issue, but if it happens in permissive, you most likely have a different
problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/337b0ad5/attachment-0001.html
Date: Fri, 12 Mar 2010 08:22:22 -0500
From: [email protected]
To: harrytaurus2002 at hotmail.com
CC: refpolicy at oss1.tresys.com
Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure?
On 03/11/2010 10:24 PM, TaurusHarry wrote:
Date: Thu, 11 Mar 2010 08:24:11 -0500
From: [email protected]
To: harrytaurus2002 at hotmail.com
CC: refpolicy at oss1.tresys.com
Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication
failure?
On 03/10/2010 10:15 PM, TaurusHarry wrote:
Hi SELinux experts,
Thank you for reading my email, I am trying to write a SELinux pp for
the vlock program(Virtual Console Locking program), so far I gets no
more AVC denied messages in permissive mode and only one USER_AUTH
failure message in Enforcing mode, what interface should I have added
for the vlock_t domain?
[root/sysadm_r/s0 at cp3020 ~]# date +%T
23:24:07
[root/sysadm_r/s0 at cp3020 ~]# vlock
[root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
-- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
Password:
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
----
time->W ed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
[root/sysadm_r/s0 at cp3020 ~]#
As you can see, in Enforcing mode the vlock just exits silently. If in
permissive mode, the vlock program could be run successfully like below:
[root/sysadm_r/s0 at cp3020 ~]# vlock
*** This tty is not a VC (virtual console). ***
*** It may not be securely locked. ***
This TTY is now locked.
Please enter the password to unlock.
root's Password:
[root/sysadm_r/s0 at cp3020 ~]#
So the problem must be rooted in my vlock.pp, the .te file is attached
at the bottom, how should I address above USER_AUTH failure?
Thanks again!
Best regards,
Harry
----------
policy_module(vlock, 1.0.0)
########################################
#
# Declarations
#
type vlock_t;
type vlock_exec_t;
application_domain(vlock_t,vlock_exec_t)
########################################
#
# Vlock local policy
#
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:unix_dgram_socket { create connect };
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
kernel_read_system_state(vlock_t)
corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)
files_read_etc_files(vlock_t)
files_read_var_files(vlock_t)
files_read_var_symlinks(vlock_t)
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
miscfiles_read_localization(vlock_t)
logging_send_sy slog_msg(vlock_t)
selinux_getattr_fs(vlock_t)
????? Windows Live Messenger ???????? ???
??
????? Windows Live Messenger ???????? ???
??
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
semodule -DB
Will turn off the dontaudit rules. From the error it looks like you
have a problem accessing the terminal.
ls -lZ `tty`
Many thanks Daniel, then I added the call to the
userdom_use_user_terminals() interface for the vlock_t domain and
verified that vlock_t has enough access rights on the tty device:
[root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
[root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t
Found 1 semantic av rules:
allow vlock_t user_devpts_t : chr_file { ioctl read write getattr
open } ;
[root/secadm_r/s0 at cp3020 ~]#
However, unfortunately, I still get following USER_AUTH message with
"terminal=?":
type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
So far I have called the following three interfaces related with
terminal for vlock_t:!
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
userdom_use_user_terminals(vlock_t)
What else could I have missed? From the log of some other program such
as run_init_t, I can see its USER_AUTH message is a success with
terminal=pts/1, and only the userdom_use_user_terminals() interface has
been called for run_init_t, I really don't get it why this same
interface won't work for vlock_t.
BTW, I have tried semodule -DB, but there is no more other AVC denied
messages in the permissive mode and I could only get the above one
USER_AUTH message in enforcing mode, so it seems I have to get over
this USER_AUTH failure before I could move on to somewhere else.
Thanks again!
Harry
??Messenger???2.0????????? ??????
USER_AUTH is not an SELinux error message. It indicates that for what
ever reason you PAM session failed.
type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'
'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed
If this only happens in Enforcing mode then it could be an SELinux
issue, but if it happens in permissive, you most likely have a
different problem.
---------------------------------
Hi Daniel,
Yeah, this problem exists only in Enforcing mode, in permissive mode everything is fine but there is no helpful denied messages. Later I borrowed some interfaces called for newrole_t and run_init_t and finally found that once I applied the interface of domain_use_interactive_fds() for my vlock_t then vlock could work fine with below success message:
time->Sun Mar 14 23:34:01 2010
type=CRED_REFR msg=audit(1268609641.096:831): user pid=2863 uid=0 auid=1000 ses=2 subj=staff_u:secadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:setcred acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=pts/0 res=success)'
I don't have a deep understanding about the role this interface could play for the called domain so far, but it does resolved my problem. Thanks for all your suggestioins!
Best regards,
Harry
_________________________________________________________________
????????????????
http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100315/db731634/attachment.html