Description of problem: With the latest kernel errata, the Xen serial console is on /dev/xvc0, and kudzu will add a 'agetty' line to /etc/inittab to launch a login prompt on this console. Unfortunately the agetty process is dieing with an AVC denial. It appears the /dev/xvc0 device is not being labelled correctly - it has 'device_t' instead of 'tty_device_t' which the regular serial devices have. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.7-2.fc5 kernel-xenU-2.6.18-1.2200.fc5 kudzu-1.2.34.5-1 How reproducible: Always Steps to Reproduce: 1. Add 'co:2345:respawn:/sbin/agetty xvc0 9600 vt100-nav' to /etc/inittab 2. telinit q 3. Actual results: No login prompt appears on /dev/xvc0, AVC denials in logs: audit(1162292248.586:4): avc: denied { getattr } for pid=1465 comm="agetty" name="xvc0" dev=tmpfs ino=1616 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file # ls -lZ /dev/ttyS0 /dev/xvc0 crw------- root root system_u:object_r:tty_device_t /dev/ttyS0 crw--w---- root tty root:object_r:device_t /dev/xvc0 Expected results: Login prompt appears, no AVC denials Additional info:
Temporary workaround # ls -lZ /dev/xvc0 crw--w---- root tty root:object_r:device_t /dev/xvc0 # semanage fcontext -a -t tty_device_t -f -c /dev/xvc0 # restorecon /dev/xvc0 # ls -lZ /dev/xvc0 crw--w---- root tty system_u:object_r:tty_device_t /dev/xvc0 Be preferrable to get the policy updated for FC5 though so it 'just works' for all users.
All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy