From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Tue, 26 Oct 2010 09:58:38 +0000 Subject: [refpolicy] Why console not usable by default? Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi refpolicy experts, I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations. I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages: -term_dontaudit_use_console(getty_t) +term_use_console(getty_t) I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages: INIT: Id "0" respawning too fast: disabled for 5 minutes INIT: no more processes left in this runlevel Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login: type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why? Thank you very much! Best regards, Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: making-the-console-usable.patch Type: text/x-patch Size: 2737 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.bin