Allow root to log in w/ password on serial console

These additional SELinux policy rules are required to allow *root* to log in on the serial console and directly assume the `sysadm_r` role.
2023-03-14 14:40:14 -05:00
parent 292a4d2268
commit c259aad165
2 changed files with 37 additions and 0 deletions
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch
@@ -0,0 +1,25 @@
+From eb787b0e9ad66e719d7eb2d4bc942118a457d0d1 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Tue, 14 Mar 2023 13:40:23 -0500
+Subject: [PATCH] Allow init to setattr on char devices
+
+This is required for local logins to work.
+---
+ refpolicy/policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
+index 7b44a43..bfa5d4d 100644
+--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
+@@ -385,6 +385,7 @@ ifdef(`init_systemd',`
+ 	dev_create_urand_dev(init_t)
+ 	# systemd writes to /dev/watchdog on shutdown
+ 	dev_write_watchdog(init_t)
+	dev_setattr_all_chr_files(init_t)
+ 
+ 	domain_read_all_domains_state(init_t)
+ 	# for starting systemd --user in the right domain:
+-- 
+2.39.0
+