From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 14 Aug 2009 13:05:18 -0400
Subject: [refpolicy] Questions about the staff_u user in
 refpolicy-20081210
In-Reply-To: <COL109-W124DA46FBF921A2DCDB86DAB050@phx.gbl>
References: <COL109-W29898F923D79B009B9E16FAB040@phx.gbl>
	<1250081706.27712.46.camel@gorn>
	<COL109-W124DA46FBF921A2DCDB86DAB050@phx.gbl>
Message-ID: <1250269518.27712.62.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-08-13 at 07:41 +0000, TaurusHarry wrote:
>  this problem persists that local log harry in at the login prompt
> will fail with the default role of staff_r. The fact that assuming
> other roles than staff_r would successfully login makes me wonder that
> staff_t may l ack necessary permission during login, then I found
> below AVC denied messages from the audit log:
[...]
> type=AVC msg=audit(1250185345.048:1115): avc:  denied  { read write }
> for  pid=3762 comm="bash" name="console" dev=sda1 ino=8356
> scontext=staff_u:staff_r:staff_t:s0-s15:c0.c255
> tcontext=staff_u:object_r:console_device_t:s0 tclass=chr_file
> [root/auditadm_r/s15:c0.c255 at d610-2 ~]# 
> 
> The above messages seem to be able to prove my guess that staff_t just
> has no enough permissions to the system console, and after I modified
> staff.te adding the call of term_use_console() interface for staff_t,
> the staff user "harry" could finally local log in with the d e fault
> staff_r role.

I mentioned this before; there is a Fedora patch for logging in at the
console which needs to be reevaluated for refpolicy inclusion.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150