From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 7 Jun 2011 15:28:48 -0400
Subject: [refpolicy] Help with policy definition.
In-Reply-To: <1307473886.14021.2.camel@vortex>
References: <BANLkTi=2=mMMTE9raGH+HM8sa7SK3VX=fA@mail.gmail.com>	
	<4DEE13A6.2070704@tresys.com> <1307473886.14021.2.camel@vortex>
Message-ID: <4DEE7BF0.3090407@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/07/11 15:11, Guido Trentalancia wrote:
> On Tue, 2011-06-07 at 08:03 -0400, Christopher J. PeBenito wrote:
>> On 06/06/11 19:26, Sam Gandhi wrote:
>>> I am writing a policy for embedded device that I am working with. When
>>> I am in permissive mode I can login to my console located on
>>> /dev/ttymxc1.
>>>
>>> which generate AVC message
>>>
>>> user.notice kernel: type=1400 audit(165.890:8): avc:  denied  {
>>> relabelto } for  pid=605 comm="login" name="ttymxc1" dev=tmpfs
>>> ino=1475 scontext=system_u:system_r:kernel_t
>>> tcontext=user_u:object_r:tty_device_t tclass=chr_file
>>
>> Looks like your login program is running in the wrong context.  It
>> should be local_login_t, not kernel_t.  Check the label on your init
>> program (eg /sbin/init) which should be init_exec_t.
> 
> Shouldn't kernel_t be less restrictive than local_login_t (let alone the
> fact that as you noted, it's wrong) ?

Unless kernel_t is unconfined, local login is actually less restrictive.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com