From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 07 Jun 2011 05:52:58 +0200 Subject: [refpolicy] Help with policy definition. In-Reply-To: References: Message-ID: <1307418782.22605.174.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Sam ! On Mon, 2011-06-06 at 16:26 -0700, Sam Gandhi wrote: > I am writing a policy for embedded device that I am working with. When > I am in permissive mode I can login to my console located on > /dev/ttymxc1. > > which generate AVC message > > user.notice kernel: type=1400 audit(165.890:8): avc: denied { > relabelto } for pid=605 comm="login" name="ttymxc1" dev=tmpfs > ino=1475 scontext=system_u:system_r:kernel_t > tcontext=user_u:object_r:tty_device_t tclass=chr_file > > which audit2allow says should translate to : > > allow kernel_t tty_device_t:chr_file relabelto; > > Even if with above allow rule when in enforcing mode I am not able to > login to my serial console and I get message on the console. Have you tried to check for rules that are "dontaudit"'ed (semodule -DB and then revert back using semodule -B once finished analysing) ? > login: chsid(/dev/ttymxc1, user_u:object_r:tty_device_t) failed: Can you do some sort of tracing of the system calls and signals close to the failure point ? There is something missing after "failed:" (the reason for failure) that a human can hardly figure out... And you are not using login from util-linux-ng, are you ? And the policy, you didn't say much, is it plain refpolicy from git or release ? > /dev/ttymxc1 in my case has label of user_u:object_r:tty_device_t > > What am I missing in my configuration or any hints on how I should go > about debugging this issue/ > /Sam Guido