From: snijsure@grid-net.com (Subodh Nijsure) Date: Fri, 5 Oct 2012 03:34:02 +0000 Subject: [refpolicy] Non root users fail to login after switch to latest kernel Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, We have been running SELinux on our embedded platform for almost 18 months. We have been using kernel revision - 2.6.31. Since our platform only has 64MB memory we decided roll out our own policy. Recently we have upgrade our linux kernel to version 3.5-rc4 again with our policy every thing is working, except one thing, login for any user other than root doesn't work. Login at console works if I apply change shown below to commoncap.c, which not exactly correct. ------------------- diff --git a/security/commoncap.c b/security/commoncap.c index 6dbae46..074cd74 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -83,7 +83,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, /* Do we have the necessary capabilities? */ if (targ_ns == cred->user_ns) - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; + return cap_raised(cred->cap_effective, cap) ? 0 : 0; /* Have we tried all of the parent namespaces? */ if (targ_ns == &init_user_ns) ------------------- So it looks like the users definition is missing some capabilities? I don't even see any avc messages. When I try to login over ssh I consistantly see this message: Jan 1 05:58:14 192.168.137.1 sshd[928]: error: open /dev/tty failed - could not set controlling tty: Permission denied However root user login at console or ssh work just fine. I would appreciate any pointers/clues as to what I should look in my policy definitions that is preventing users other than root from logging into the system? -Subodh