FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 09-01-2011, 11:49 AM
 
Default sulogin

When I boot my box to single user mode I get this error when sulogin tries to run.

type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:sulogin_t:s0 tcontext=system_ubject_r:devpts_t:s0 tclass=chr_file

Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt:

Give root password for maintenance
(or type Control-D to continue):

Any ideas if this is expected? I cannot replicate it once I'm in run-level 3.

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

# ls -ldZ /dev/pts
drwxr-xr-x. root root system_ubject_r:devpts_t:s0 /dev/pts

Red Hat Enterprise Linux Server release 6.1 (Santiago

--
JM
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-01-2011, 04:45 PM
Dominick Grift
 
Default sulogin

On Thu, 2011-09-01 at 07:49 -0400, jeremymiller@ups.com wrote:
> When I boot my box to single user mode I get this error when sulogin tries to run.
>
> type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:sulogin_t:s0 tcontext=system_ubject_r:devpts_t:s0 tclass=chr_file
>
> Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt:
>
> Give root password for maintenance
> (or type Control-D to continue):
>
> Any ideas if this is expected? I cannot replicate it once I'm in run-level 3.
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 24
> Policy from config file: targeted
>
> # ls -ldZ /dev/pts
> drwxr-xr-x. root root system_ubject_r:devpts_t:s0 /dev/pts
>
> Red Hat Enterprise Linux Server release 6.1 (Santiago

I do not think that this pty is labelled properly?

I have not tried it since el6.0, but i have this patch:

policy_module(mysulogin, 1.0.0)

optional_policy(`
gen_require(`
type sulogin_t;
')

allow sulogin_t self:capability dac_override;
kernel_read_crypto_sysctls(sulogin_t)
files_search_pids(sulogin_t)
')

Which *seems* to have fixed any sulogin issues for me.

I should try it again some time soon..

> --
> JM
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-01-2011, 06:10 PM
Daniel J Walsh
 
Default sulogin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/01/2011 12:45 PM, Dominick Grift wrote:
> On Thu, 2011-09-01 at 07:49 -0400, jeremymiller@ups.com wrote:
>> When I boot my box to single user mode I get this error when
>> sulogin tries to run.
>>
>> type=1400 audit(1296260632.174:5): avc: denied { write } for
>> pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3
>> scontext=system_u:system_r:sulogin_t:s0
>> tcontext=system_ubject_r:devpts_t:s0 tclass=chr_file
>>
>> Because of the policy denying the write to /dev/pts/0 I don't get
>> the normal prompt:
>>
>> Give root password for maintenance (or type Control-D to
>> continue):
>>
>> Any ideas if this is expected? I cannot replicate it once I'm in
>> run-level 3.
>>
>> # sestatus SELinux status: enabled SELinuxfs
>> mount: /selinux Current mode:
>> enforcing Mode from config file: enforcing Policy
>> version: 24 Policy from config file:
>> targeted
>>
>> # ls -ldZ /dev/pts drwxr-xr-x. root root
>> system_ubject_r:devpts_t:s0 /dev/pts
>>
>> Red Hat Enterprise Linux Server release 6.1 (Santiago
>
> I do not think that this pty is labelled properly?
>
> I have not tried it since el6.0, but i have this patch:
>
> policy_module(mysulogin, 1.0.0)
>
> optional_policy(` gen_require(` type sulogin_t; ')
>
> allow sulogin_t self:capability dac_override;
> kernel_read_crypto_sysctls(sulogin_t) files_search_pids(sulogin_t)
> ')
>
> Which *seems* to have fixed any sulogin issues for me.
>
> I should try it again some time soon..
>
>> -- JM -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Please open a bug with RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5fyqwACgkQrlYvE4MpobOulQCeNjrD0Zqsq9 DaXfTgroxmEZFq
QoEAn0x7Wosi7Cz+0pt/rWX1ELC4/t6l
=uQhV
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org