get the red and green back (really consoletype, rhgb)

Daniel J Walsh dwalsh at redhat.com
Thu Sep 16 21:08:55 UTC 2004


Tom London wrote:

> Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core'
> message  is no longer red, the subsequent 6 or so messages are formatted
> differently (i.e., the '[OK]' is not nicely indented, and it is not in 
> green).
> Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a 
> feature ;) )
>
> Anyway, the following patch puts the red and green back in the boot.
> The change mimics the privileges given for console_device_t:chr_file
>
> --- 
> /etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te    
> 2004-09-16 07:14:24.000000000 -0700
> +++ ./consoletype.te    2004-09-16 11:37:14.000000000 -0700
> @@ -52,5 +52,5 @@
> allow consoletype_t pam_var_run_t:file { getattr read };
> ')
> ifdef(`distro_redhat', `
> -dontaudit consoletype_t tmpfs_t:chr_file { read write };
> +allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
> ')
>
Modified

> The follow makes rhgb work in strict/enforcing.  The problem
> is that it wants to mount /etc/rhgb, but it is currently labeled
> 'etc_t'.  Labeling /etc/rhgb as 'root_t' makes it work.  Not sure
> if this is really 'proper'. I'd be more comfortable with it being
> labeled something like 'etc_rhgb_t' or some such, or moving
> the mount point....
>
> --- 
> /etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc     
> 2004-09-16 07:14:24.000000000 -0700
> +++ ./rhgb.fc   2004-09-16 12:21:12.424588200 -0700
> @@ -1,2 +1,3 @@
> /usr/bin/rhgb          --      system_u:object_r:rhgb_exec_t
> #/etc/dbus-1(/.*)?             system_u:object_r:etc_dbusd_t
> +/etc/rhgb              -d      system_u:object_r:root_t
>
Changed to mnt_t

>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list





More information about the fedora-selinux-list mailing list