Source: selinux-policy-default Version: 2:2.20221101-9 Severity: normal X-Debbugs-Cc: aeru...@aerusso.net
Dear Maintainer, On a fresh bookworm installation, I have enabled selinux following [1]. I enabled enforcing mode, and tried to log in at the console tty (tty1, tty2, and tty6). journalctl -f shows an authentication error. Moreover, audit2why -al indicated that agetty was being denied when trying to use checkpoint_restore. I used audit2allow -m local to create a policy and then compile and load it. This eliminated the selinux denial audit event, but did not change the overall behavior: I cannot login as root at any ttys. I can, however, log in as regular user, and use su to elevate to root privileges, though. Creating a /etc/securetty file with tty0-tty6 and console does not change the situation. I've tried relabeling the filesystem several times. The remaining audit2why -al all seem innocuous: NetworkManager, run-parts, utmp, apcupds, ModemManager, wall The only possibly suspect one is comm="(spawn)" accessing files under /proc (scontext=system_u:system_r:udev_t:s0), thought I would think that's not a problem. I'm at a loss for what could be different between enforcing and permissive mode, and I'm not even sure what logs to look at. Best, Antonio [1] https://wiki.debian.org/SELinux/Setup
OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature