Re: sulogin

On Thu, 2011-09-01 at 07:49 -0400, jeremymiller(a)ups.com wrote: > When I boot my box to single user mode I get this error when > sulogin tries to run. > > type=1400 audit(1296260632.174:5): avc: denied { write } for > pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 > scontext=system_u:system_r:sulogin_t:s0 > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > > Because of the policy denying the write to /dev/pts/0 I don't get > the normal prompt: > > Give root password for maintenance (or type Control-D to > continue): > > Any ideas if this is expected? I cannot replicate it once I'm in > run-level 3. > > # sestatus SELinux status: enabled SELinuxfs > mount: /selinux Current mode: > enforcing Mode from config file: enforcing Policy > version: 24 Policy from config file: > targeted > > # ls -ldZ /dev/pts drwxr-xr-x. root root > system_u:object_r:devpts_t:s0 /dev/pts > > Red Hat Enterprise Linux Server release 6.1 (Santiago I do not think that this pty is labelled properly? I have not tried it since el6.0, but i have this patch: policy_module(mysulogin, 1.0.0) optional_policy(` gen_require(` type sulogin_t; ') allow sulogin_t self:capability dac_override; kernel_read_crypto_sysctls(sulogin_t) files_search_pids(sulogin_t) ') Which *seems* to have fixed any sulogin issues for me. I should try it again some time soon.. > -- JM -- selinux mailing list selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5fyqwACgkQrlYvE4MpobOulQCeNjrD0Zqsq9DaXfTgroxmEZFq QoEAn0x7Wosi7Cz+0pt/rWX1ELC4/t6l =uQhV -----END PGP SIGNATURE-----