From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 23 Feb 2011 19:34:39 +0100 Subject: [refpolicy] [PATCH 17/34]: patch to allow plymouthd use unallocated ttys In-Reply-To: <4D651E49.3030300@tresys.com> References: <1297837126.3205.66.camel@tesla.lan> <4D651E49.3030300@tresys.com> Message-ID: <1298486079.29671.10.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! On Wed, 23/02/2011 at 09.48 -0500, Christopher J. PeBenito wrote: > On 02/16/11 01:18, Guido Trentalancia wrote: > > This patch allows plymouthd to use unallocated ttys. > > > > diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/services/plymouthd.te refpolicy-git-02022011-new/policy/modules/services/plymouthd.te > > --- refpolicy-git-02022011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100 > > +++ refpolicy-git-02022011-new/policy/modules/services/plymouthd.te 2011-01-26 01:40:06.542176190 +0100 > > @@ -64,6 +64,8 @@ miscfiles_read_localization(plymouthd_t) > > miscfiles_read_fonts(plymouthd_t) > > miscfiles_manage_fonts_cache(plymouthd_t) > > > > +term_use_unallocated_ttys(plymouthd_t) > > + > > ######################################## > > # > > # Plymouth private policy > > Why? Would it be possible to specifically label the devices? I think they are unallocated not unlabelled. They have label tty_device_t and what is needed is chr_file { write ioctl read open getattr append }. Possibly it's stuff such as /dev/tty63, /dev/hvc0 and so on. By the way, recently I had to add these (to use ftp as root from a console): kernel_request_load_module(sysadm_t) in policy/modules/roles/sysadm.te (trying to load ipv6 module) corenet_tcp_bind_generic_node(sysadm_t) in policy/modules/roles/sysadm.te (ftp list directory) And there might be more, I am still testing... What am I getting wrong here ? Apparently the console is having some issues (and perhaps not just with ftp) that are not showing up from an X terminal... So either I am doing something wrong or what's the reason for having a console much more restricted than X terminals ?? Regards, Guido