locallogin patch for Fedora 8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patch appears necessary to get the reference policy to run on Fedora
8.  Without it attempts to login on the console get:
type=SYSCALL msg=audit(12/26/2007 15:03:13.840:126) : arch=i386 syscall=write success=no exit=-1(Operation not permitted) a0=4 a1=bff0a630 a2=1 a3=1 items=0 ppid=1 pid=2221 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty2 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s15:c0.c255 key=(null) type=AVC msg=audit(12/26/2007 15:03:13.840:126) : avc: denied { audit_control } for pid=2221 comm=login capability=audit_control scontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=capability 

The basic fix was previously submitted by Dan Walsh to the SELinux mailing
list on 14 Apr 2005, noting that pam_loginuid required this capability.  If
subsequently another way to work around this was preferred, please let me
know; I'm extremely new to SELinux and am still fumbling.

(My configuration uses TYPE=mls, DISTRO=redhat, MONOLITHIC=n, and removes
the unconfined module, and anaconda and firstboot which depend on it, in an
attempt to be a "strict" policy.  This may also have some effect on why the
original didn't work for me.)

Peter

Index: policy/modules/system/locallogin.te
===================================================================
--- policy/modules/system/locallogin.te	(revision 2565)
+++ policy/modules/system/locallogin.te	(working copy)
@@ -34,6 +34,9 @@
 #

 allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+ifdef(`distro_redhat', `
+allow local_login_t self:capability { audit_control };
+')
 allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux