From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Wed, 27 Oct 2010 09:11:14 +0000 Subject: [refpolicy] Why console not usable by default? In-Reply-To: <4CC6C930.5030400@redhat.com> References: <4CC6C3A4.2080905@tresys.com>,<4CC6C930.5030400@redhat.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Daniel and Chris, Thanks for your answers, then I simple guess the support for the console has been deliberately removed(it used to be supported way back to refpolicy-20081210, but no longer in refpolicy-20091117) just because refpolicy is developed and tested on a platform that the console has no longer been used by mingetty, but /dev/tty* instead. Thus it would make lots of sense to cross-reference the SELinux policy implementation on different distribution if ever got stuck on one of them :-) Thanks again, Harry > Date: Tue, 26 Oct 2010 08:27:28 -0400 > From: dwalsh at redhat.com > To: cpebenito at tresys.com > CC: harrytaurus2002 at hotmail.com; refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] Why console not usable by default? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote: > > On 10/26/10 05:58, TaurusHarry wrote: > >> Hi refpolicy experts, > >> > >> I am trying to play with the refpolicy from the latest git tree in a > >> qemu environment, which I could login from serial console or by ssh. I > >> run into a serial of problem when logging in from the serial console nor > >> running userspace applications on top of it. The attached is the patch I > >> made up so far to make the serial console "usable" by normal operations. > >> > >> I couldn't help wondering why the console is not made available for many > >> userspace domains in the refpolicy by default? Take the getty_t for > >> instance, in getty.te, not only the getty_t not permitted to use > >> console, but further more, a dontaudit rule is used to suppress the > >> related AVC Denied messages: > >> > >> -term_dontaudit_use_console(getty_t) > >> +term_use_console(getty_t) > >> > >> I guess I would have to make above changes in order to login from the > >> console, otherwise the mingetty will fail with following error messages: > >> INIT: Id "0" respawnin g too fast: disabled for 5 minutes > >> INIT: no more processes left in this runlevel > >> > >> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" > >> rule, we can see that /sbin/mingetty fails to execute /bin/login: > >> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } > >> for pid=2292 comm="login" > >> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 > >> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process > >> > >> > >> Could some one enlighten me on the decision made about the console in > >> the refpolicy implementation? and why? > > > > It is this way because getty doesn't normally run on /dev/console. It > > normally runs on /dev/tty*. > > > > > Fedora has term_use_console. > > I think on system390 it is also required. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg > g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo > =cG2y > -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/48f1566c/attachment-0001.html