* [refpolicy] Why console not usable by default?
@ 2010-10-26 9:58 TaurusHarry
2010-10-26 11:23 ` Dominick Grift
2010-10-26 12:03 ` Christopher J. PeBenito
0 siblings, 2 replies; 6+ messages in thread
From: TaurusHarry @ 2010-10-26 9:58 UTC (permalink / raw)
To: refpolicy
Hi refpolicy experts,
I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.
I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:
-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
INIT: Id "0" respawning too fast: disabled for 5 minutes
INIT: no more processes left in this runlevel
Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?
Thank you very much!
Best regards,
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: making-the-console-usable.patch
Type: text/x-patch
Size: 2737 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.bin
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] Why console not usable by default? 2010-10-26 9:58 [refpolicy] Why console not usable by default? TaurusHarry @ 2010-10-26 11:23 ` Dominick Grift 2010-10-26 12:03 ` Christopher J. PeBenito 1 sibling, 0 replies; 6+ messages in thread From: Dominick Grift @ 2010-10-26 11:23 UTC (permalink / raw) To: refpolicy On Tue, Oct 26, 2010 at 09:58:38AM +0000, TaurusHarry wrote: > > Hi refpolicy experts, > > I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations. > > I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages: I am wondering about this as well. I personally usually allow this. > > -term_dontaudit_use_console(getty_t) > +term_use_console(getty_t) > > I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages: > INIT: Id "0" respawning too fast: disabled for 5 minutes > INIT: no more processes left in this runlevel > > Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login: > type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process > > > Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why? > > Thank you very much! > > Best regards, > Harry > > From b54492deb244da3a4d1229c492f36573f81230e6 Mon Sep 17 00:00:00 2001 > From: Harry Ciao <qingtao.cao@windriver.com> > Date: Tue, 26 Oct 2010 14:39:21 +0800 > Subject: [PATCH] making the console usable > > Making various domains able to run on top of console. > > Signed-off-by: Harry Ciao <harrytaurus2002@@hotmail.com> > --- > policy/modules/kernel/terminal.if | 4 ++++ > policy/modules/system/getty.te | 2 +- > policy/modules/system/logging.if | 2 +- > policy/modules/system/userdomain.if | 5 +++++ > 4 files changed, 11 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > index 492bf76..2a90146 100644 > --- a/policy/modules/kernel/terminal.if > +++ b/policy/modules/kernel/terminal.if > @@ -1291,10 +1291,14 @@ interface(`term_setattr_all_ttys',` > interface(`term_relabel_all_ttys',` > gen_require(` > attribute ttynode; > + type console_device_t; > ') > > dev_list_all_dev_nodes($1) > allow $1 ttynode:chr_file { relabelfrom relabelto }; > + > + # Make the calling domain able to relabel the console as well > + allow $1 console_device_t:chr_file { relabelfrom relabelto }; > ') > > ######################################## > diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te > index 408f4e6..55c2d03 100644 > --- a/policy/modules/system/getty.te > +++ b/policy/modules/system/getty.te > @@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t) > term_setattr_all_ttys(getty_t) > term_setattr_unallocated_ttys(getty_t) > term_setattr_console(getty_t) > -term_dontaudit_use_console(getty_t) > +term_use_console(getty_t) > > auth_rw_login_records(getty_t) > > diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if > index c7cfb62..6c648dc 100644 > --- a/policy/modules/system/logging.if > +++ b/policy/modules/system/logging.if > @@ -540,7 +540,7 @@ interface(`logging_send_syslog_msg',` > # If syslog is down, the glibc syslog() function > # will write to the console. > term_write_console($1) > - term_dontaudit_read_console($1) > + term_read_console($1) > ') > > ######################################## > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index d1bd453..aa6e1f0 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -44,6 +44,11 @@ template(`userdom_base_user_template',` > > term_user_tty($1_t, user_tty_device_t) > > + # Make all kinds of unprivileged user such as > + # user/staff/secadm/auditadm able to log in > + # from the console successfully. > + term_use_console($1_t) > + > allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; > allow $1_t self:fd use; > allow $1_t self:fifo_file rw_fifo_file_perms; > -- > 1.7.0.4 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/01800651/attachment-0001.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] Why console not usable by default? 2010-10-26 9:58 [refpolicy] Why console not usable by default? TaurusHarry 2010-10-26 11:23 ` Dominick Grift @ 2010-10-26 12:03 ` Christopher J. PeBenito 2010-10-26 12:27 ` Daniel J Walsh 1 sibling, 1 reply; 6+ messages in thread From: Christopher J. PeBenito @ 2010-10-26 12:03 UTC (permalink / raw) To: refpolicy On 10/26/10 05:58, TaurusHarry wrote: > Hi refpolicy experts, > > I am trying to play with the refpolicy from the latest git tree in a > qemu environment, which I could login from serial console or by ssh. I > run into a serial of problem when logging in from the serial console nor > running userspace applications on top of it. The attached is the patch I > made up so far to make the serial console "usable" by normal operations. > > I couldn't help wondering why the console is not made available for many > userspace domains in the refpolicy by default? Take the getty_t for > instance, in getty.te, not only the getty_t not permitted to use > console, but further more, a dontaudit rule is used to suppress the > related AVC Denied messages: > > -term_dontaudit_use_console(getty_t) > +term_use_console(getty_t) > > I guess I would have to make above changes in order to login from the > console, otherwise the mingetty will fail with following error messages: > INIT: Id "0" respawnin g too fast: disabled for 5 minutes > INIT: no more processes left in this runlevel > > Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" > rule, we can see that /sbin/mingetty fails to execute /bin/login: > type=1400 audit(1264520547.936:68): avc: denied { noatsecure } > for pid=2292 comm="login" > scontext=system_u:system_r:getty_t:s0-s15:c0.c255 > tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process > > > Could some one enlighten me on the decision made about the console in > the refpolicy implementation? and why? It is this way because getty doesn't normally run on /dev/console. It normally runs on /dev/tty*. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] Why console not usable by default? 2010-10-26 12:03 ` Christopher J. PeBenito @ 2010-10-26 12:27 ` Daniel J Walsh 2010-10-27 9:11 ` TaurusHarry 2010-10-27 12:22 ` Christopher J. PeBenito 0 siblings, 2 replies; 6+ messages in thread From: Daniel J Walsh @ 2010-10-26 12:27 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote: > On 10/26/10 05:58, TaurusHarry wrote: >> Hi refpolicy experts, >> >> I am trying to play with the refpolicy from the latest git tree in a >> qemu environment, which I could login from serial console or by ssh. I >> run into a serial of problem when logging in from the serial console nor >> running userspace applications on top of it. The attached is the patch I >> made up so far to make the serial console "usable" by normal operations. >> >> I couldn't help wondering why the console is not made available for many >> userspace domains in the refpolicy by default? Take the getty_t for >> instance, in getty.te, not only the getty_t not permitted to use >> console, but further more, a dontaudit rule is used to suppress the >> related AVC Denied messages: >> >> -term_dontaudit_use_console(getty_t) >> +term_use_console(getty_t) >> >> I guess I would have to make above changes in order to login from the >> console, otherwise the mingetty will fail with following error messages: >> INIT: Id "0" respawnin g too fast: disabled for 5 minutes >> INIT: no more processes left in this runlevel >> >> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" >> rule, we can see that /sbin/mingetty fails to execute /bin/login: >> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } >> for pid=2292 comm="login" >> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 >> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process >> >> >> Could some one enlighten me on the decision made about the console in >> the refpolicy implementation? and why? > > It is this way because getty doesn't normally run on /dev/console. It > normally runs on /dev/tty*. > > Fedora has term_use_console. I think on system390 it is also required. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo =cG2y -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] Why console not usable by default? 2010-10-26 12:27 ` Daniel J Walsh @ 2010-10-27 9:11 ` TaurusHarry 2010-10-27 12:22 ` Christopher J. PeBenito 1 sibling, 0 replies; 6+ messages in thread From: TaurusHarry @ 2010-10-27 9:11 UTC (permalink / raw) To: refpolicy Hi Daniel and Chris, Thanks for your answers, then I simple guess the support for the console has been deliberately removed(it used to be supported way back to refpolicy-20081210, but no longer in refpolicy-20091117) just because refpolicy is developed and tested on a platform that the console has no longer been used by mingetty, but /dev/tty* instead. Thus it would make lots of sense to cross-reference the SELinux policy implementation on different distribution if ever got stuck on one of them :-) Thanks again, Harry > Date: Tue, 26 Oct 2010 08:27:28 -0400 > From: dwalsh at redhat.com > To: cpebenito at tresys.com > CC: harrytaurus2002 at hotmail.com; refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] Why console not usable by default? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote: > > On 10/26/10 05:58, TaurusHarry wrote: > >> Hi refpolicy experts, > >> > >> I am trying to play with the refpolicy from the latest git tree in a > >> qemu environment, which I could login from serial console or by ssh. I > >> run into a serial of problem when logging in from the serial console nor > >> running userspace applications on top of it. The attached is the patch I > >> made up so far to make the serial console "usable" by normal operations. > >> > >> I couldn't help wondering why the console is not made available for many > >> userspace domains in the refpolicy by default? Take the getty_t for > >> instance, in getty.te, not only the getty_t not permitted to use > >> console, but further more, a dontaudit rule is used to suppress the > >> related AVC Denied messages: > >> > >> -term_dontaudit_use_console(getty_t) > >> +term_use_console(getty_t) > >> > >> I guess I would have to make above changes in order to login from the > >> console, otherwise the mingetty will fail with following error messages: > >> INIT: Id "0" respawnin g too fast: disabled for 5 minutes > >> INIT: no more processes left in this runlevel > >> > >> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" > >> rule, we can see that /sbin/mingetty fails to execute /bin/login: > >> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } > >> for pid=2292 comm="login" > >> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 > >> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process > >> > >> > >> Could some one enlighten me on the decision made about the console in > >> the refpolicy implementation? and why? > > > > It is this way because getty doesn't normally run on /dev/console. It > > normally runs on /dev/tty*. > > > > > Fedora has term_use_console. > > I think on system390 it is also required. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg > g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo > =cG2y > -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/48f1566c/attachment-0001.html ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] Why console not usable by default? 2010-10-26 12:27 ` Daniel J Walsh 2010-10-27 9:11 ` TaurusHarry @ 2010-10-27 12:22 ` Christopher J. PeBenito 1 sibling, 0 replies; 6+ messages in thread From: Christopher J. PeBenito @ 2010-10-27 12:22 UTC (permalink / raw) To: refpolicy On 10/26/10 08:27, Daniel J Walsh wrote: > On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote: >> On 10/26/10 05:58, TaurusHarry wrote: >>> Hi refpolicy experts, >>> >>> I am trying to play with the refpolicy from the latest git tree in a >>> qemu environment, which I could login from serial console or by ssh. I >>> run into a serial of problem when logging in from the serial console nor >>> running userspace applications on top of it. The attached is the patch I >>> made up so far to make the serial console "usable" by normal operations. >>> >>> I couldn't help wondering why the console is not made available for many >>> userspace domains in the refpolicy by default? Take the getty_t for >>> instance, in getty.te, not only the getty_t not permitted to use >>> console, but further more, a dontaudit rule is used to suppress the >>> related AVC Denied messages: >>> >>> -term_dontaudit_use_console(getty_t) >>> +term_use_console(getty_t) >>> >>> I guess I would have to make above changes in order to login from the >>> console, otherwise the mingetty will fail with following error messages: >>> INIT: Id "0" respawnin g too fast: disabled for 5 minutes >>> INIT: no more processes left in this runlevel >>> >>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" >>> rule, we can see that /sbin/mingetty fails to execute /bin/login: >>> type=1400 audit(1264520547.936:68): avc: denied { noatsecure } >>> for pid=2292 comm="login" >>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 >>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process >>> >>> >>> Could some one enlighten me on the decision made about the console in >>> the refpolicy implementation? and why? > >> It is this way because getty doesn't normally run on /dev/console. It >> normally runs on /dev/tty*. > > > Fedora has term_use_console. > > I think on system390 it is also required. Last time I looked at the Fedora getty patch, it had this unconditionally allowed. Send me a patch with all of the /dev/console usage related to this in a tunable, and I'll be open to merging it. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-10-27 12:22 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-26 9:58 [refpolicy] Why console not usable by default? TaurusHarry 2010-10-26 11:23 ` Dominick Grift 2010-10-26 12:03 ` Christopher J. PeBenito 2010-10-26 12:27 ` Daniel J Walsh 2010-10-27 9:11 ` TaurusHarry 2010-10-27 12:22 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.