tty files, console login on debian

tty files, console login on debian

[Erich Schubert]

Hi Russel,
I just updated my system to your lates debian policy package.
Afterwards I could no longer login on the console, ssh worked.
I believe i found the problem in types/file.te:
I solved it by adding the following:

allow { dev_fs ttyfile } fs_t:filesystem associate;

Since the type of the staff/user ttys is "ttyfile", but no longer
"device_type". Maybe you'll prefer a different fix, though.
It is also possible that the mountpoint or so needs to be relabeled?
(redhat appears to have tmpfs_t there, not fs_t)

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
            There are only 10 types of people in the world:           //\
            Those who understand binary and those who don't           V_/_
  In unseren Freunden suchen wir, was uns fehlt. --- Thornton Wilder


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tty files, console login on debian

[Russell Coker]

On Wednesday 10 November 2004 05:19, Erich Schubert <erich@debian.org> wrote:
> I just updated my system to your lates debian policy package.
> Afterwards I could no longer login on the console, ssh worked.
> I believe i found the problem in types/file.te:
> I solved it by adding the following:

I've just uploaded a new Debian policy package that fixes this among other 
things.

> Since the type of the staff/user ttys is "ttyfile", but no longer
> "device_type". Maybe you'll prefer a different fix, though.
> It is also possible that the mountpoint or so needs to be relabeled?
> (redhat appears to have tmpfs_t there, not fs_t)

In Fedora now the terminal device nodes are only on tmpfs_t for a udev managed 
tmpfs on /dev.  In Debian the normal use is to have ext2/3 file systems for 
root which includes /dev.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tty files, console login on debian

[Luke Kenneth Casson Leighton]

On Tue, Jan 04, 2005 at 07:37:18PM +1100, Russell Coker wrote:
> > Since the type of the staff/user ttys is "ttyfile", but no longer
> > "device_type". Maybe you'll prefer a different fix, though.
> > It is also possible that the mountpoint or so needs to be relabeled?
> > (redhat appears to have tmpfs_t there, not fs_t)
> 
> In Fedora now the terminal device nodes are only on tmpfs_t for a udev managed 
> tmpfs on /dev.  In Debian the normal use is to have ext2/3 file systems for 
> root which includes /dev.
 
 and the abnormal use (for mad people like me) is to hand-patch
 the /etc/init.d debian scripts like makevirtfs etc. and also
 the selinux strict policy to cope with an initrd.

 none of which stands a dog's chance of being accepted until sarge is
 released because libselinux1 is presently "optional" and all the
 critical packages must have "optional" dependencies.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.