From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 7 Jun 2011 08:03:50 -0400
Subject: [refpolicy] Help with policy definition.
In-Reply-To: <BANLkTi=2=mMMTE9raGH+HM8sa7SK3VX=fA@mail.gmail.com>
References: <BANLkTi=2=mMMTE9raGH+HM8sa7SK3VX=fA@mail.gmail.com>
Message-ID: <4DEE13A6.2070704@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/06/11 19:26, Sam Gandhi wrote:
> I am writing a policy for embedded device that I am working with. When
> I am in permissive mode I can login to my console located on
> /dev/ttymxc1.
> 
> which generate AVC message
> 
> user.notice kernel: type=1400 audit(165.890:8): avc:  denied  {
> relabelto } for  pid=605 comm="login" name="ttymxc1" dev=tmpfs
> ino=1475 scontext=system_u:system_r:kernel_t
> tcontext=user_u:object_r:tty_device_t tclass=chr_file

Looks like your login program is running in the wrong context.  It
should be local_login_t, not kernel_t.  Check the label on your init
program (eg /sbin/init) which should be init_exec_t.


> which audit2allow says should translate to :
> 
>      allow kernel_t tty_device_t:chr_file relabelto;
> 
> Even if with above allow rule when in enforcing mode I am not able to
> login to my serial console and I get message on the console.
> 
> login: chsid(/dev/ttymxc1, user_u:object_r:tty_device_t) failed:
> 
> /dev/ttymxc1 in my case has label of  user_u:object_r:tty_device_t
> 
> What am I missing in my configuration or any hints on how I should go
> about debugging this issue/


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com