[refpolicy] Why console not usable by default?
Christopher J. PeBenito
cpebenito at tresys.com
Tue Oct 26 07:03:48 CDT 2010
On 10/26/10 05:58, TaurusHarry wrote:
> Hi refpolicy experts,
>
> I am trying to play with the refpolicy from the latest git tree in a
> qemu environment, which I could login from serial console or by ssh. I
> run into a serial of problem when logging in from the serial console nor
> running userspace applications on top of it. The attached is the patch I
> made up so far to make the serial console "usable" by normal operations.
>
> I couldn't help wondering why the console is not made available for many
> userspace domains in the refpolicy by default? Take the getty_t for
> instance, in getty.te, not only the getty_t not permitted to use
> console, but further more, a dontaudit rule is used to suppress the
> related AVC Denied messages:
>
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>
> I guess I would have to make above changes in order to login from the
> console, otherwise the mingetty will fail with following error messages:
> INIT: Id "0" respawnin g too fast: disabled for 5 minutes
> INIT: no more processes left in this runlevel
>
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> rule, we can see that /sbin/mingetty fails to execute /bin/login:
> type=1400 audit(1264520547.936:68): avc: denied { noatsecure }
> for pid=2292 comm="login"
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>
>
> Could some one enlighten me on the decision made about the console in
> the refpolicy implementation? and why?
It is this way because getty doesn't normally run on /dev/console. It
normally runs on /dev/tty*.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list