From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 27 Oct 2010 08:22:38 -0400 Subject: [refpolicy] Why console not usable by default? In-Reply-To: <4CC6C930.5030400@redhat.com> References: <4CC6C3A4.2080905@tresys.com> <4CC6C930.5030400@redhat.com> Message-ID: <4CC8198E.5060704@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/26/10 08:27, Daniel J Walsh wrote: > On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote: >> On 10/26/10 05:58, TaurusHarry wrote: >>> Hi refpolicy experts, >>> >>> I am trying to play with the refpolicy from the latest git tree in a >>> qemu environment, which I could login from serial console or by ssh. I >>> run into a serial of problem when logging in from the serial console nor >>> running userspace applications on top of it. The attached is the patch I >>> made up so far to make the serial console "usable" by normal operations. >>> >>> I couldn't help wondering why the console is not made available for many >>> userspace domains in the refpolicy by default? Take the getty_t for >>> instance, in getty.te, not only the getty_t not permitted to use >>> console, but further more, a dontaudit rule is used to suppress the >>> related AVC Denied messages: >>> >>> -term_dontaudit_use_console(getty_t) >>> +term_use_console(getty_t) >>> >>> I guess I would have to make above changes in order to login from the >>> console, otherwise the mingetty will fail with following error messages: >>> INIT: Id "0" respawnin g too fast: disabled for 5 minutes >>> INIT: no more processes left in this runlevel >>> >>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" >>> rule, we can see that /sbin/mingetty fails to execute /bin/login: >>> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } >>> for pid=2292 comm="login" >>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 >>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process >>> >>> >>> Could some one enlighten me on the decision made about the console in >>> the refpolicy implementation? and why? > >> It is this way because getty doesn't normally run on /dev/console. It >> normally runs on /dev/tty*. > > > Fedora has term_use_console. > > I think on system390 it is also required. Last time I looked at the Fedora getty patch, it had this unconditionally allowed. Send me a patch with all of the /dev/console usage related to this in a tunable, and I'll be open to merging it. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com