[refpolicy] Why console not usable by default?

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Why console not usable by default?
Date: Tue, 26 Oct 2010 13:23:47 +0200	[thread overview]
Message-ID: <20101026112345.GD25458@localhost.localdomain> (raw)
In-Reply-To: <SNT139-w7E36775349BB2932E65D1AB420@phx.gbl>

On Tue, Oct 26, 2010 at 09:58:38AM +0000, TaurusHarry wrote:
> 
> Hi refpolicy experts,
> 
> I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.
> 
> I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:

I am wondering about this as well. I personally usually allow this.
> 
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
> 
> I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
>         INIT: Id "0" respawning too fast: disabled for 5 minutes
>         INIT: no more processes left in this runlevel
> 
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure } for  pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> 
> 
> Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?
> 
> Thank you very much!
> 
> Best regards,
> Harry
>  		 	   		  

> From b54492deb244da3a4d1229c492f36573f81230e6 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Tue, 26 Oct 2010 14:39:21 +0800
> Subject: [PATCH] making the console usable
> 
> Making various domains able to run on top of console.
> 
> Signed-off-by: Harry Ciao <harrytaurus2002@@hotmail.com>
> ---
>  policy/modules/kernel/terminal.if   |    4 ++++
>  policy/modules/system/getty.te      |    2 +-
>  policy/modules/system/logging.if    |    2 +-
>  policy/modules/system/userdomain.if |    5 +++++
>  4 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> index 492bf76..2a90146 100644
> --- a/policy/modules/kernel/terminal.if
> +++ b/policy/modules/kernel/terminal.if
> @@ -1291,10 +1291,14 @@ interface(`term_setattr_all_ttys',`
>  interface(`term_relabel_all_ttys',`
>  	gen_require(`
>  		attribute ttynode;
> +		type console_device_t;
>  	')
>  
>  	dev_list_all_dev_nodes($1)
>  	allow $1 ttynode:chr_file { relabelfrom relabelto };
> +
> +	# Make the calling domain able to relabel the console as well
> +	allow $1 console_device_t:chr_file { relabelfrom relabelto };
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 408f4e6..55c2d03 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
>  term_setattr_all_ttys(getty_t)
>  term_setattr_unallocated_ttys(getty_t)
>  term_setattr_console(getty_t)
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>  
>  auth_rw_login_records(getty_t)
>  
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index c7cfb62..6c648dc 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -540,7 +540,7 @@ interface(`logging_send_syslog_msg',`
>  	# If syslog is down, the glibc syslog() function
>  	# will write to the console.
>  	term_write_console($1)
> -	term_dontaudit_read_console($1)
> +	term_read_console($1)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d1bd453..aa6e1f0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -44,6 +44,11 @@ template(`userdom_base_user_template',`
>  
>  	term_user_tty($1_t, user_tty_device_t)
>  
> +	# Make all kinds of unprivileged user such as
> +	# user/staff/secadm/auditadm able to log in
> +	# from the console successfully.
> +	term_use_console($1_t)
> +
>  	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
>  	allow $1_t self:fd use;
>  	allow $1_t self:fifo_file rw_fifo_file_perms;
> -- 
> 1.7.0.4
> 

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/01800651/attachment-0001.bin 