From c259aad16562076d5e173a9b2996e72f59cc85dd Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 14 Mar 2023 14:40:14 -0500 Subject: [PATCH] Allow root to log in w/ password on serial console These additional SELinux policy rules are required to allow *root* to log in on the serial console and directly assume the `sysadm_r` role. --- .../selinux-aimee-os/files/aimee-os.te | 12 +++++++++ ...llow-init-to-setattr-on-char-devices.patch | 25 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te index 7fcf7d6..bb4a57c 100644 --- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te +++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te @@ -201,3 +201,15 @@ gen_require(` ') allow ssh_keygen_t var_lib_t:dir rw_dir_perms; filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file) + +# Allow login to execute /bin/busybox (via /bin/sh symlink) +gen_require(` + type local_login_t; +') +corecmd_exec_bin(local_login_t) + +# Allow root to log in on the serial console +gen_require(` + type sysadm_t; +') +init_use_fds(sysadm_t) diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch new file mode 100644 index 0000000..12c8e84 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch @@ -0,0 +1,25 @@ +From eb787b0e9ad66e719d7eb2d4bc942118a457d0d1 Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Tue, 14 Mar 2023 13:40:23 -0500 +Subject: [PATCH] Allow init to setattr on char devices + +This is required for local logins to work. +--- + refpolicy/policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te +index 7b44a43..bfa5d4d 100644 +--- a/refpolicy/policy/modules/system/init.te ++++ b/refpolicy/policy/modules/system/init.te +@@ -385,6 +385,7 @@ ifdef(`init_systemd',` + dev_create_urand_dev(init_t) + # systemd writes to /dev/watchdog on shutdown + dev_write_watchdog(init_t) ++ dev_setattr_all_chr_files(init_t) + + domain_read_all_domains_state(init_t) + # for starting systemd --user in the right domain: +-- +2.39.0 +