[refpolicy] Why console not usable by default?

[refpolicy] Why console not usable by default?

[TaurusHarry]

Hi refpolicy experts,

I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.

I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:

-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)

I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
        INIT: Id "0" respawning too fast: disabled for 5 minutes
        INIT: no more processes left in this runlevel

Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
        type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure } for  pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process


Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?

Thank you very much!

Best regards,
Harry
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: making-the-console-usable.patch
Type: text/x-patch
Size: 2737 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/824f6c31/attachment.bin 

[refpolicy] Why console not usable by default?

[Dominick Grift]

On Tue, Oct 26, 2010 at 09:58:38AM +0000, TaurusHarry wrote:
> 
> Hi refpolicy experts,
> 
> I am trying to play with the refpolicy from the latest git tree in a qemu environment, which I could login from serial console or by ssh. I run into a serial of problem when logging in from the serial console nor running userspace applications on top of it. The attached is the patch I made up so far to make the serial console "usable" by normal operations.
> 
> I couldn't help wondering why the console is not made available for many userspace domains in the refpolicy by default? Take the getty_t for instance, in getty.te, not only the getty_t not permitted to use console, but further more, a dontaudit rule is used to suppress the related AVC Denied messages:


I am wondering about this as well. I personally usually allow this.
> 
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
> 
> I guess I would have to make above changes in order to login from the console, otherwise the mingetty will fail with following error messages:
>         INIT: Id "0" respawning too fast: disabled for 5 minutes
>         INIT: no more processes left in this runlevel
> 
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)" rule, we can see that /sbin/mingetty fails to execute /bin/login:
>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure } for  pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> 
> 
> Could some one enlighten me on the decision made about the console in the refpolicy implementation? and why?
> 
> Thank you very much!
> 
> Best regards,
> Harry
>  		 	   		  

> From b54492deb244da3a4d1229c492f36573f81230e6 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Tue, 26 Oct 2010 14:39:21 +0800
> Subject: [PATCH] making the console usable
> 
> Making various domains able to run on top of console.
> 
> Signed-off-by: Harry Ciao <harrytaurus2002@@hotmail.com>
> ---
>  policy/modules/kernel/terminal.if   |    4 ++++
>  policy/modules/system/getty.te      |    2 +-
>  policy/modules/system/logging.if    |    2 +-
>  policy/modules/system/userdomain.if |    5 +++++
>  4 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> index 492bf76..2a90146 100644
> --- a/policy/modules/kernel/terminal.if
> +++ b/policy/modules/kernel/terminal.if
> @@ -1291,10 +1291,14 @@ interface(`term_setattr_all_ttys',`
>  interface(`term_relabel_all_ttys',`
>  	gen_require(`
>  		attribute ttynode;
> +		type console_device_t;
>  	')
>  
>  	dev_list_all_dev_nodes($1)
>  	allow $1 ttynode:chr_file { relabelfrom relabelto };
> +
> +	# Make the calling domain able to relabel the console as well
> +	allow $1 console_device_t:chr_file { relabelfrom relabelto };
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 408f4e6..55c2d03 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
>  term_setattr_all_ttys(getty_t)
>  term_setattr_unallocated_ttys(getty_t)
>  term_setattr_console(getty_t)
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
>  
>  auth_rw_login_records(getty_t)
>  
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index c7cfb62..6c648dc 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -540,7 +540,7 @@ interface(`logging_send_syslog_msg',`
>  	# If syslog is down, the glibc syslog() function
>  	# will write to the console.
>  	term_write_console($1)
> -	term_dontaudit_read_console($1)
> +	term_read_console($1)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d1bd453..aa6e1f0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -44,6 +44,11 @@ template(`userdom_base_user_template',`
>  
>  	term_user_tty($1_t, user_tty_device_t)
>  
> +	# Make all kinds of unprivileged user such as
> +	# user/staff/secadm/auditadm able to log in
> +	# from the console successfully.
> +	term_use_console($1_t)
> +
>  	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
>  	allow $1_t self:fd use;
>  	allow $1_t self:fifo_file rw_fifo_file_perms;
> -- 
> 1.7.0.4
> 

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/01800651/attachment-0001.bin 

[refpolicy] Why console not usable by default?

[Christopher J. PeBenito]

On 10/26/10 05:58, TaurusHarry wrote:
> Hi refpolicy experts,
> 
> I am trying to play with the refpolicy from the latest git tree in a
> qemu environment, which I could login from serial console or by ssh. I
> run into a serial of problem when logging in from the serial console nor
> running userspace applications on top of it. The attached is the patch I
> made up so far to make the serial console "usable" by normal operations.
> 
> I couldn't help wondering why the console is not made available for many
> userspace domains in the refpolicy by default? Take the getty_t for
> instance, in getty.te, not only the getty_t not permitted to use
> console, but further more, a dontaudit rule is used to suppress the
> related AVC Denied messages:
> 
> -term_dontaudit_use_console(getty_t)
> +term_use_console(getty_t)
> 
> I guess I would have to make above changes in order to login from the
> console, otherwise the mingetty will fail with following error messages:
>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>         INIT: no more processes left in this runlevel
> 
> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
> for  pid=2292 comm="login"
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> 
> 
> Could some one enlighten me on the decision made about the console in
> the refpolicy implementation? and why?

It is this way because getty doesn't normally run on /dev/console.  It
normally runs on /dev/tty*.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] Why console not usable by default?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
> On 10/26/10 05:58, TaurusHarry wrote:
>> Hi refpolicy experts,
>>
>> I am trying to play with the refpolicy from the latest git tree in a
>> qemu environment, which I could login from serial console or by ssh. I
>> run into a serial of problem when logging in from the serial console nor
>> running userspace applications on top of it. The attached is the patch I
>> made up so far to make the serial console "usable" by normal operations.
>>
>> I couldn't help wondering why the console is not made available for many
>> userspace domains in the refpolicy by default? Take the getty_t for
>> instance, in getty.te, not only the getty_t not permitted to use
>> console, but further more, a dontaudit rule is used to suppress the
>> related AVC Denied messages:
>>
>> -term_dontaudit_use_console(getty_t)
>> +term_use_console(getty_t)
>>
>> I guess I would have to make above changes in order to login from the
>> console, otherwise the mingetty will fail with following error messages:
>>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>>         INIT: no more processes left in this runlevel
>>
>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
>> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
>> for  pid=2292 comm="login"
>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>>
>>
>> Could some one enlighten me on the decision made about the console in
>> the refpolicy implementation? and why?
> 
> It is this way because getty doesn't normally run on /dev/console.  It
> normally runs on /dev/tty*.
> 
> 
Fedora has term_use_console.

I think on system390 it is also required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg
g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo
=cG2y
-----END PGP SIGNATURE-----

[refpolicy] Why console not usable by default?

[TaurusHarry]

Hi Daniel and Chris,

Thanks for your answers, then I simple guess the support for the console has been deliberately removed(it used to be supported way back to refpolicy-20081210, but no longer in refpolicy-20091117) just because refpolicy is developed and tested on a platform that the console has no longer been used by mingetty, but /dev/tty* instead.

Thus it would make lots of sense to cross-reference the SELinux policy implementation on different distribution if ever got stuck on one of them :-)

Thanks again,
Harry

> Date: Tue, 26 Oct 2010 08:27:28 -0400
> From: dwalsh at redhat.com
> To: cpebenito at tresys.com
> CC: harrytaurus2002 at hotmail.com; refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] Why console not usable by default?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
> > On 10/26/10 05:58, TaurusHarry wrote:
> >> Hi refpolicy experts,
> >>
> >> I am trying to play with the refpolicy from the latest git tree in a
> >> qemu environment, which I could login from serial console or by ssh. I
> >> run into a serial of problem when logging in from the serial console nor
> >> running userspace applications on top of it. The attached is the patch I
> >> made up so far to make the serial console "usable" by normal operations.
> >>
> >> I couldn't help wondering why the console is not made available for many
> >> userspace domains in the refpolicy by default? Take the getty_t for
> >> instance, in getty.te, not only the getty_t not permitted to use
> >> console, but further more, a dontaudit rule is used to suppress the
> >> related AVC Denied messages:
> >>
> >> -term_dontaudit_use_console(getty_t)
> >> +term_use_console(getty_t)
> >>
> >> I guess I would have to make above changes in order to login from the
> >> console, otherwise the mingetty will fail with following error messages:
> >>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
> >>         INIT: no more processes left in this runlevel
> >>
> >> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
> >> rule, we can see that /sbin/mingetty fails to execute /bin/login:
> >>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
> >> for  pid=2292 comm="login"
> >> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> >> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
> >>
> >>
> >> Could some one enlighten me on the decision made about the console in
> >> the refpolicy implementation? and why?
> > 
> > It is this way because getty doesn't normally run on /dev/console.  It
> > normally runs on /dev/tty*.
> > 
> > 
> Fedora has term_use_console.
> 
> I think on system390 it is also required.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkzGyTAACgkQrlYvE4MpobOd8QCgreaSt3W942+DZXHyDw5cbOcg
> g2AAn0SjvLQQD5/WcUX/KzsqRdqZOfbo
> =cG2y
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/48f1566c/attachment-0001.html 

[refpolicy] Why console not usable by default?

[Christopher J. PeBenito]

On 10/26/10 08:27, Daniel J Walsh wrote:
> On 10/26/2010 08:03 AM, Christopher J. PeBenito wrote:
>> On 10/26/10 05:58, TaurusHarry wrote:
>>> Hi refpolicy experts,
>>>
>>> I am trying to play with the refpolicy from the latest git tree in a
>>> qemu environment, which I could login from serial console or by ssh. I
>>> run into a serial of problem when logging in from the serial console nor
>>> running userspace applications on top of it. The attached is the patch I
>>> made up so far to make the serial console "usable" by normal operations.
>>>
>>> I couldn't help wondering why the console is not made available for many
>>> userspace domains in the refpolicy by default? Take the getty_t for
>>> instance, in getty.te, not only the getty_t not permitted to use
>>> console, but further more, a dontaudit rule is used to suppress the
>>> related AVC Denied messages:
>>>
>>> -term_dontaudit_use_console(getty_t)
>>> +term_use_console(getty_t)
>>>
>>> I guess I would have to make above changes in order to login from the
>>> console, otherwise the mingetty will fail with following error messages:
>>>         INIT: Id "0" respawnin g too fast: disabled for 5 minutes
>>>         INIT: no more processes left in this runlevel
>>>
>>> Furthermore, if we remove the "term_dontaudit_use_console(getty_t)"
>>> rule, we can see that /sbin/mingetty fails to execute /bin/login:
>>>         type=1400 audit(1264520547.936:68): avc:  denied  { noatsecure }
>>> for  pid=2292 comm="login"
>>> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
>>> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
>>>
>>>
>>> Could some one enlighten me on the decision made about the console in
>>> the refpolicy implementation? and why?
> 
>> It is this way because getty doesn't normally run on /dev/console.  It
>> normally runs on /dev/tty*.
> 
> 
> Fedora has term_use_console.
> 
> I think on system390 it is also required.

Last time I looked at the Fedora getty patch, it had this
unconditionally allowed.  Send me a patch with all of the /dev/console
usage related to this in a tunable, and I'll be open to merging it.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com