From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 26 Oct 2010 08:27:28 -0400
Subject: [refpolicy] Why console not usable by default?
In-Reply-To: <4CC6C3A4.2080905@tresys.com>
References: <SNT139-w7E36775349BB2932E65D1AB420@phx.gbl>
	<4CC6C3A4.2080905@tresys.com>
Message-ID: <4CC6C930.5030400@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
> On 10/26/10 05:58, TaurusHarry wrote:
>> Hi refpolicy experts,
>>
>> I am trying to play with the refpolicy from the latest git tree in a
>> qemu environment, which I could login from serial console or by ssh. I
>> run into a serial of problem when logging in from the serial console nor
>> running userspace applications on top of it. The attached is the patch I
>> made up so far to make the serial console "usable" by normal operations.
>>
>> I couldn't help wondering why the console is not made available for many
>> userspace domains in the refpolicy by default? Take the getty_t for
>> instance, in getty.te, not only the getty_t not permitted to use
>> console, but further more, a dontaudit rule is used to suppress the
>> related AVC Denied messages:
>>
>> -term_dontaudit_use_console(getty_t)
>> +term_use_console(getty_t)
>>
>> I guess I would have to make above changes in order to login from the
>> console, otherwise the mingetty will fail with following error messages:
>>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>>         INIT: no more processes left in this runlevel
>>
>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
>> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
>> for  pid=2292 comm="login"
>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>>
>>
>> Could some one enlighten me on the decision made about the console in
>> the refpolicy implementation? and why?
> 
> It is this way because getty doesn't normally run on /dev/console.  It
> normally runs on /dev/tty*.
> 
> 
Fedora has term_use_console.

I think on system390 it is also required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg
g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo
=cG2y
-----END PGP SIGNATURE-----