Hi refpolicy experts,
I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.
I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:
-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
INIT: Id "0" respawning too fast: disabled for 5 minutes
INIT: no more processes left in this runlevel
Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?
Thank you very much!
Best regards,
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: making-the-console-usable.patch
Type: text/x-patch
Size: 2737 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.bin
On Tue, Oct 26, 2010 at 09:58:38AM +0000, TaurusHarry wrote:
>
> Hi refpolicy experts,
>
> I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.
>
> I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:
I am wondering about this as well. I personally usually allow this.
>
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>
> I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
> INIT: Id "0" respawning too fast: disabled for 5 minutes
> INIT: no more processes left in this runlevel
>
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>
>
> Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?
>
> Thank you very much!
>
> Best regards,
> Harry
>
> From b54492deb244da3a4d1229c492f36573f81230e6 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Tue, 26 Oct 2010 14:39:21 +0800
> Subject: [PATCH] making the console usable
>
> Making various domains able to run on top of console.
>
> Signed-off-by: Harry Ciao <harrytaurus2002@@hotmail.com>
> ---
> policy/modules/kernel/terminal.if | 4 ++++
> policy/modules/system/getty.te | 2 +-
> policy/modules/system/logging.if | 2 +-
> policy/modules/system/userdomain.if | 5 +++++
> 4 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> index 492bf76..2a90146 100644
> --- a/policy/modules/kernel/terminal.if
> +++ b/policy/modules/kernel/terminal.if
> @@ -1291,10 +1291,14 @@ interface(`term_setattr_all_ttys',`
> interface(`term_relabel_all_ttys',`
> gen_require(`
> attribute ttynode;
> + type console_device_t;
> ')
>
> dev_list_all_dev_nodes($1)
> allow $1 ttynode:chr_file { relabelfrom relabelto };
> +
> + # Make the calling domain able to relabel the console as well
> + allow $1 console_device_t:chr_file { relabelfrom relabelto };
> ')
>
> ########################################
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 408f4e6..55c2d03 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
> term_setattr_all_ttys(getty_t)
> term_setattr_unallocated_ttys(getty_t)
> term_setattr_console(getty_t)
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>
> auth_rw_login_records(getty_t)
>
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index c7cfb62..6c648dc 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -540,7 +540,7 @@ interface(`logging_send_syslog_msg',`
> # If syslog is down, the glibc syslog() function
> # will write to the console.
> term_write_console($1)
> - term_dontaudit_read_console($1)
> + term_read_console($1)
> ')
>
> ########################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d1bd453..aa6e1f0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -44,6 +44,11 @@ template(`userdom_base_user_template',`
>
> term_user_tty($1_t, user_tty_device_t)
>
> + # Make all kinds of unprivileged user such as
> + # user/staff/secadm/auditadm able to log in
> + # from the console successfully.
> + term_use_console($1_t)
> +
> allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
> allow $1_t self:fd use;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> --
> 1.7.0.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/01800651/attachment-0001.bin
On 10/26/10 05:58, TaurusHarry wrote:
> Hi refpolicy experts,
>
> I am trying to play with the refpolicy from the latest git tree in a
> qemu environment, which I could login from serial console or by ssh. I
> run into a serial of problem when logging in from the serial console nor
> running userspace applications on top of it. The attached is the patch I
> made up so far to make the serial console "usable" by normal operations.
>
> I couldn't help wondering why the console is not made available for many
> userspace domains in the refpolicy by default? Take the getty_t for
> instance, in getty.te, not only the getty_t not permitted to use
> console, but further more, a dontaudit rule is used to suppress the
> related AVC Denied messages:
>
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>
> I guess I would have to make above changes in order to login from the
> console, otherwise the mingetty will fail with following error messages:
> INIT: Id "0" respawnin g too fast: disabled for 5 minutes
> INIT: no more processes left in this runlevel
>
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> rule, we can see that /sbin/mingetty fails to execute /bin/login:
> type=1400 audit(1264520547.936:68): avc: denied { noatsecure }
> for pid=2292 comm="login"
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>
>
> Could some one enlighten me on the decision made about the console in
> the refpolicy implementation? and why?
It is this way because getty doesn't normally run on /dev/console. It
normally runs on /dev/tty*.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
> On 10/26/10 05:58, TaurusHarry wrote:
>> Hi refpolicy experts,
>>
>> I am trying to play with the refpolicy from the latest git tree in a
>> qemu environment, which I could login from serial console or by ssh. I
>> run into a serial of problem when logging in from the serial console nor
>> running userspace applications on top of it. The attached is the patch I
>> made up so far to make the serial console "usable" by normal operations.
>>
>> I couldn't help wondering why the console is not made available for many
>> userspace domains in the refpolicy by default? Take the getty_t for
>> instance, in getty.te, not only the getty_t not permitted to use
>> console, but further more, a dontaudit rule is used to suppress the
>> related AVC Denied messages:
>>
>> -term_dontaudit_use_console(getty_t)
>> +term_use_console(getty_t)
>>
>> I guess I would have to make above changes in order to login from the
>> console, otherwise the mingetty will fail with following error messages:
>> INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>> INIT: no more processes left in this runlevel
>>
>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
>> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>> type=1400 audit(1264520547.936:68): avc: denied { noatsecure }
>> for pid=2292 comm="login"
>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>>
>>
>> Could some one enlighten me on the decision made about the console in
>> the refpolicy implementation? and why?
>
> It is this way because getty doesn't normally run on /dev/console. It
> normally runs on /dev/tty*.
>
>
Fedora has term_use_console.
I think on system390 it is also required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg
g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo
=cG2y
-----END PGP SIGNATURE-----
Hi Daniel and Chris,
Thanks for your answers, then I simple guess the support for the console has been deliberately removed(it used to be supported way back to refpolicy-20081210, but no longer in refpolicy-20091117) just because refpolicy is developed and tested on a platform that the console has no longer been used by mingetty, but /dev/tty* instead.
Thus it would make lots of sense to cross-reference the SELinux policy implementation on different distribution if ever got stuck on one of them :-)
Thanks again,
Harry
> Date: Tue, 26 Oct 2010 08:27:28 -0400
> From: dwalsh at redhat.com
> To: cpebenito at tresys.com
> CC: harrytaurus2002 at hotmail.com; refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] Why console not usable by default?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
> > On 10/26/10 05:58, TaurusHarry wrote:
> >> Hi refpolicy experts,
> >>
> >> I am trying to play with the refpolicy from the latest git tree in a
> >> qemu environment, which I could login from serial console or by ssh. I
> >> run into a serial of problem when logging in from the serial console nor
> >> running userspace applications on top of it. The attached is the patch I
> >> made up so far to make the serial console "usable" by normal operations.
> >>
> >> I couldn't help wondering why the console is not made available for many
> >> userspace domains in the refpolicy by default? Take the getty_t for
> >> instance, in getty.te, not only the getty_t not permitted to use
> >> console, but further more, a dontaudit rule is used to suppress the
> >> related AVC Denied messages:
> >>
> >> -term_dontaudit_use_console(getty_t)
> >> +term_use_console(getty_t)
> >>
> >> I guess I would have to make above changes in order to login from the
> >> console, otherwise the mingetty will fail with following error messages:
> >> INIT: Id "0" respawnin g too fast: disabled for 5 minutes
> >> INIT: no more processes left in this runlevel
> >>
> >> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> >> rule, we can see that /sbin/mingetty fails to execute /bin/login:
> >> type=1400 audit(1264520547.936:68): avc: denied { noatsecure }
> >> for pid=2292 comm="login"
> >> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> >> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> >>
> >>
> >> Could some one enlighten me on the decision made about the console in
> >> the refpolicy implementation? and why?
> >
> > It is this way because getty doesn't normally run on /dev/console. It
> > normally runs on /dev/tty*.
> >
> >
> Fedora has term_use_console.
>
> I think on system390 it is also required.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg
> g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo
> =cG2y
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/48f1566c/attachment-0001.html
On 10/26/10 08:27, Daniel J Walsh wrote:
> On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
>> On 10/26/10 05:58, TaurusHarry wrote:
>>> Hi refpolicy experts,
>>>
>>> I am trying to play with the refpolicy from the latest git tree in a
>>> qemu environment, which I could login from serial console or by ssh. I
>>> run into a serial of problem when logging in from the serial console nor
>>> running userspace applications on top of it. The attached is the patch I
>>> made up so far to make the serial console "usable" by normal operations.
>>>
>>> I couldn't help wondering why the console is not made available for many
>>> userspace domains in the refpolicy by default? Take the getty_t for
>>> instance, in getty.te, not only the getty_t not permitted to use
>>> console, but further more, a dontaudit rule is used to suppress the
>>> related AVC Denied messages:
>>>
>>> -term_dontaudit_use_console(getty_t)
>>> +term_use_console(getty_t)
>>>
>>> I guess I would have to make above changes in order to login from the
>>> console, otherwise the mingetty will fail with following error messages:
>>> INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>>> INIT: no more processes left in this runlevel
>>>
>>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
>>> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>>> type=1400 audit(1264520547.936:68): avc: denied { noatsecure }
>>> for pid=2292 comm="login"
>>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
>>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>>>
>>>
>>> Could some one enlighten me on the decision made about the console in
>>> the refpolicy implementation? and why?
>
>> It is this way because getty doesn't normally run on /dev/console. It
>> normally runs on /dev/tty*.
>
>
> Fedora has term_use_console.
>
> I think on system390 it is also required.
Last time I looked at the Fedora getty patch, it had this
unconditionally allowed. Send me a patch with all of the /dev/console
usage related to this in a tunable, and I'll be open to merging it.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com