[refpolicy] Why console not usable by default?

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 10/26/10 05:58, TaurusHarry wrote:
> Hi refpolicy experts,
> 
> I am trying to play with the refpolicy from the latest git tree in a
> qemu environment, which I could login from serial console or by ssh. I
> run into a serial of problem when logging in from the serial console nor
> running userspace applications on top of it. The attached is the patch I
> made up so far to make the serial console "usable" by normal operations.
> 
> I couldn't help wondering why the console is not made available for many
> userspace domains in the refpolicy by default? Take the getty_t for
> instance, in getty.te, not only the getty_t not permitted to use
> console, but further more, a dontaudit rule is used to suppress the
> related AVC Denied messages:
> 
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
> 
> I guess I would have to make above changes in order to login from the
> console, otherwise the mingetty will fail with following error messages:
>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>         INIT: no more processes left in this runlevel
> 
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
> for  pid=2292 comm="login"
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> 
> 
> Could some one enlighten me on the decision made about the console in
> the refpolicy implementation? and why?

It is this way because getty doesn't normally run on /dev/console.  It
normally runs on /dev/tty*.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com