Tom London wrote:
Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core'
message is no longer red, the subsequent 6 or so messages are formatted
differently (i.e., the '[OK]' is not nicely indented, and it is not in green).
Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a feature ;) )
Anyway, the following patch puts the red and green back in the boot. The change mimics the privileges given for console_device_t:chr_file
--- /etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te 2004-09-16 07:14:24.000000000 -0700
+++ ./consoletype.te 2004-09-16 11:37:14.000000000 -0700
@@ -52,5 +52,5 @@
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
')
Modified
The follow makes rhgb work in strict/enforcing. The problem is that it wants to mount /etc/rhgb, but it is currently labeled 'etc_t'. Labeling /etc/rhgb as 'root_t' makes it work. Not sure if this is really 'proper'. I'd be more comfortable with it being labeled something like 'etc_rhgb_t' or some such, or moving the mount point....
--- /etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700
+++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700
@@ -1,2 +1,3 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
#/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
+/etc/rhgb -d system_u:object_r:root_t
Changed to mnt_t
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
