sulogin
Dominick Grift
domg472 at gmail.com
Thu Sep 1 16:45:53 UTC 2011
On Thu, 2011-09-01 at 07:49 -0400, jeremymiller at ups.com wrote:
> When I boot my box to single user mode I get this error when sulogin tries to run.
>
> type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:sulogin_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>
> Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt:
>
> Give root password for maintenance
> (or type Control-D to continue):
>
> Any ideas if this is expected? I cannot replicate it once I'm in run-level 3.
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 24
> Policy from config file: targeted
>
> # ls -ldZ /dev/pts
> drwxr-xr-x. root root system_u:object_r:devpts_t:s0 /dev/pts
>
> Red Hat Enterprise Linux Server release 6.1 (Santiago
I do not think that this pty is labelled properly?
I have not tried it since el6.0, but i have this patch:
policy_module(mysulogin, 1.0.0)
optional_policy(`
gen_require(`
type sulogin_t;
')
allow sulogin_t self:capability dac_override;
kernel_read_crypto_sysctls(sulogin_t)
files_search_pids(sulogin_t)
')
Which *seems* to have fixed any sulogin issues for me.
I should try it again some time soon..
> --
> JM
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110901/c7ec6b87/attachment.bin
More information about the selinux
mailing list