Allow root to log in w/ password on serial console

These additional SELinux policy rules are required to allow *root* to log in on the serial console and directly assume the `sysadm_r` role.
2023-03-14 14:40:14 -05:00 · 2023-03-14 14:40:14 -05:00 · c259aad165
parent 292a4d2268
commit c259aad165
2 changed files with 37 additions and 0 deletions
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@ -201,3 +201,15 @@ gen_require(`
 ')
 allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
 filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
 # Allow login to execute /bin/busybox (via /bin/sh symlink)
 gen_require(`
 	type local_login_t;
 ')
 corecmd_exec_bin(local_login_t)
 # Allow root to log in on the serial console
 gen_require(`
 	type sysadm_t;
 ')
 init_use_fds(sysadm_t)
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch
@ -0,0 +1,25 @@
 From eb787b0e9ad66e719d7eb2d4bc942118a457d0d1 Mon Sep 17 00:00:00 2001
 From: "Dustin C. Hatch" <dustin@hatch.name>
 Date: Tue, 14 Mar 2023 13:40:23 -0500
 Subject: [PATCH] Allow init to setattr on char devices
 This is required for local logins to work.
 ---
 refpolicy/policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
 index 7b44a43..bfa5d4d 100644
 --- a/refpolicy/policy/modules/system/init.te
 +++ b/refpolicy/policy/modules/system/init.te
@@ -385,6 +385,7 @@ ifdef(`init_systemd',`
 	dev_create_urand_dev(init_t)
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 +	dev_setattr_all_chr_files(init_t)
 	domain_read_all_domains_state(init_t)
 	# for starting systemd --user in the right domain:
 -- 
 2.39.0