From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 26 Oct 2010 08:03:48 -0400 Subject: [refpolicy] Why console not usable by default? In-Reply-To: References: Message-ID: <4CC6C3A4.2080905@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/26/10 05:58, TaurusHarry wrote: > Hi refpolicy experts, > > I am trying to play with the refpolicy from the latest git tree in a > qemu environment, which I could login from serial console or by ssh. I > run into a serial of problem when logging in from the serial console nor > running userspace applications on top of it. The attached is the patch I > made up so far to make the serial console "usable" by normal operations. > > I couldn't help wondering why the console is not made available for many > userspace domains in the refpolicy by default? Take the getty_t for > instance, in getty.te, not only the getty_t not permitted to use > console, but further more, a dontaudit rule is used to suppress the > related AVC Denied messages: > > -term_dontaudit_use_console(getty_t) > +term_use_console(getty_t) > > I guess I would have to make above changes in order to login from the > console, otherwise the mingetty will fail with following error messages: > INIT: Id "0" respawnin g too fast: disabled for 5 minutes > INIT: no more processes left in this runlevel > > Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" > rule, we can see that /sbin/mingetty fails to execute /bin/login: > type=1400 audit(1264520547.936:68): avc: denied { noatsecure } > for pid=2292 comm="login" > scontext=system_u:system_r:getty_t:s0-s15:c0.c255 > tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process > > > Could some one enlighten me on the decision made about the console in > the refpolicy implementation? and why? It is this way because getty doesn't normally run on /dev/console. It normally runs on /dev/tty*. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com