On Thu, 2011-09-01 at 07:49 -0400, jeremymiller(a)ups.com wrote:
When I boot my box to single user mode I get this error when sulogin
tries to run.
type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544
comm="sulogin" path="/dev/pts/0" dev=devpts ino=3
scontext=system_u:system_r:sulogin_t:s0 tcontext=system_u:object_r:devpts_t:s0
tclass=chr_file
Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt:
Give root password for maintenance
(or type Control-D to continue):
Any ideas if this is expected? I cannot replicate it once I'm in run-level 3.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
# ls -ldZ /dev/pts
drwxr-xr-x. root root system_u:object_r:devpts_t:s0 /dev/pts
Red Hat Enterprise Linux Server release 6.1 (Santiago
I do not think that this pty is labelled properly?
I have not tried it since el6.0, but i have this patch:
policy_module(mysulogin, 1.0.0)
optional_policy(`
gen_require(`
type sulogin_t;
')
allow sulogin_t self:capability dac_override;
kernel_read_crypto_sysctls(sulogin_t)
files_search_pids(sulogin_t)
')
Which *seems* to have fixed any sulogin issues for me.
I should try it again some time soon..
--
JM
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux