From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 07 Jun 2011 21:11:24 +0200 Subject: [refpolicy] Help with policy definition. In-Reply-To: <4DEE13A6.2070704@tresys.com> References: <4DEE13A6.2070704@tresys.com> Message-ID: <1307473886.14021.2.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2011-06-07 at 08:03 -0400, Christopher J. PeBenito wrote: > On 06/06/11 19:26, Sam Gandhi wrote: > > I am writing a policy for embedded device that I am working with. When > > I am in permissive mode I can login to my console located on > > /dev/ttymxc1. > > > > which generate AVC message > > > > user.notice kernel: type=1400 audit(165.890:8): avc: denied { > > relabelto } for pid=605 comm="login" name="ttymxc1" dev=tmpfs > > ino=1475 scontext=system_u:system_r:kernel_t > > tcontext=user_u:object_r:tty_device_t tclass=chr_file > > Looks like your login program is running in the wrong context. It > should be local_login_t, not kernel_t. Check the label on your init > program (eg /sbin/init) which should be init_exec_t. Shouldn't kernel_t be less restrictive than local_login_t (let alone the fact that as you noted, it's wrong) ? > > which audit2allow says should translate to : > > > > allow kernel_t tty_device_t:chr_file relabelto; > > > > Even if with above allow rule when in enforcing mode I am not able to > > login to my serial console and I get message on the console. > > > > login: chsid(/dev/ttymxc1, user_u:object_r:tty_device_t) failed: > > > > /dev/ttymxc1 in my case has label of user_u:object_r:tty_device_t > > > > What am I missing in my configuration or any hints on how I should go > > about debugging this issue/ > >