From: dac.override@gmail.com (Dominick Grift) Date: Sat, 12 Aug 2017 11:00:37 +0200 Subject: [refpolicy] [PATCH 1/2] terminal: /dev/pts exists in /dev filesystem In-Reply-To: <20170812083500.18273-1-nicolas.iooss@m4x.org> References: <20170812083500.18273-1-nicolas.iooss@m4x.org> Message-ID: <20170812090037.GA16991@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote: > systemd tries to create /dev/pts directly with its context type > "devpts_t", but this is not allowed: > > avc: denied { associate } for pid=1 comm="systemd" name="pts" > scontext=system_u:object_r:devpts_t > tcontext=system_u:object_r:device_t > tclass=filesystem permissive=1 There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t. if you replace that spec with something like /dev/pts -d <> then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t I little bit cleaner in my opinion but i suppose a matter of taste > --- > policy/modules/kernel/terminal.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te > index f71fda4b5e52..ff9ee502888b 100644 > --- a/policy/modules/kernel/terminal.te > +++ b/policy/modules/kernel/terminal.te > @@ -25,6 +25,7 @@ dev_node(console_device_t) > # the type of the root directory of the file system. > # > type devpts_t; > +dev_associate(devpts_t) > files_mountpoint(devpts_t) > fs_associate_tmpfs(devpts_t) > fs_xattr_type(devpts_t) > -- > 2.14.1 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170812/9b034a61/attachment.bin