From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 7 Jun 2011 08:03:50 -0400 Subject: [refpolicy] Help with policy definition. In-Reply-To: References: Message-ID: <4DEE13A6.2070704@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/06/11 19:26, Sam Gandhi wrote: > I am writing a policy for embedded device that I am working with. When > I am in permissive mode I can login to my console located on > /dev/ttymxc1. > > which generate AVC message > > user.notice kernel: type=1400 audit(165.890:8): avc: denied { > relabelto } for pid=605 comm="login" name="ttymxc1" dev=tmpfs > ino=1475 scontext=system_u:system_r:kernel_t > tcontext=user_u:object_r:tty_device_t tclass=chr_file Looks like your login program is running in the wrong context. It should be local_login_t, not kernel_t. Check the label on your init program (eg /sbin/init) which should be init_exec_t. > which audit2allow says should translate to : > > allow kernel_t tty_device_t:chr_file relabelto; > > Even if with above allow rule when in enforcing mode I am not able to > login to my serial console and I get message on the console. > > login: chsid(/dev/ttymxc1, user_u:object_r:tty_device_t) failed: > > /dev/ttymxc1 in my case has label of user_u:object_r:tty_device_t > > What am I missing in my configuration or any hints on how I should go > about debugging this issue/ -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com