Enable login from /dev/console.

Add the support to login and use the system from /dev/console. 1. Make gettty_t able to use the /dev/console; 2. Make local_login_t able to relabel /dev/console to user tty types; 3. Provide the type_change rule for relabeling /dev/console. All above supports are controlled by the allow_console tunable. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2025-03-11 07:40:18 +00:00 · 2011-01-10 18:09:22 +08:00 · 2011-01-10 18:09:22 +08:00 · fc1ef4ac3b
commit fc1ef4ac3b
parent 54e9d3ca75
4 changed files with 26 additions and 1 deletions
--- a/policy/global_tunables
+++ b/policy/global_tunables
@ -4,6 +4,13 @@
 # file should be used.
 #

+## <desc>
+## <p>
+## Allow logging in and using the system from /dev/console.
+## </p>
+## </desc>
+gen_tunable(allow_console,true)
+
 ## <desc>
 ## <p>
 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@ -110,6 +110,7 @@ interface(`term_tty',`
 interface(`term_user_tty',`
 	gen_require(`
 		attribute ttynode;
+		type console_device_t;
 		type tty_device_t;
 	')

@ -122,6 +123,12 @@ interface(`term_user_tty',`
 	ifdef(`distro_debian',`
 		type_change $1 ttynode:chr_file $2;
 	')
+
+	tunable_policy(`allow_console',`
+		# When user logs in from /dev/console, relabel it
+		# to user tty type as well.
+		type_change $1 console_device_t:chr_file $2;
+	')
 ')

 ########################################
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@ -83,7 +83,6 @@ term_use_unallocated_ttys(getty_t)
 term_setattr_all_ttys(getty_t)
 term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
-term_dontaudit_use_console(getty_t)

 auth_rw_login_records(getty_t)

@ -114,6 +113,13 @@ ifdef(`distro_ubuntu',`
 	')
 ')

+tunable_policy(`allow_console',`
+	# Support logging in from /dev/console
+	term_use_console(getty_t)
+',`
+	term_dontaudit_use_console(getty_t)
+')
+
 optional_policy(`
 	mta_send_mail(getty_t)
 ')
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@ -141,6 +141,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')

+tunable_policy(`allow_console',`
+	# Able to relabel /dev/console to user tty types.
+	term_relabel_console(local_login_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(local_login_t)
 	fs_read_nfs_symlinks(local_login_t)