Issue

Some hardware platforms provide a management interface that presents a serial console to the OS. In Linux, the native console is managed by getty, mingetty, agetty, etc., depending on the distribution and installation options.

In the case of an ILO/ILM-presented virtual serial console, the login may be managed by a separate getty process, in addition to the process watching the primary console.

The getty processes, depending on their context, may have different SELinux policies, and actions permitted on one may not be permitted on the other.

Resolution / Workaround

When BoKS is installed, or when SELinux compatibility is added via hotfix, there are policy definitions configured that make SELinux BoKS-aware. If these policy definitions have not been properly installed, SELinux may block certain BoKS functions.

The first place to look for SELinux vs. BoKS errors is in the /var/log/audit.log file. Look for errors with type=AVC and where name points to a BoKS component. For example:

type=AVC msg=audit(1441290643.091:178): avc: denied { read write } for pid=5943 comm="login" name="297FFD00-servc_queue.listen" dev=dm-2 ino=142724 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

These kinds of errors, where SELinux and BoKS aren't getting along, are usually the result of the policy definitions not being installed, or not installed correctly.

To check whether the BoKS modules are installed, run the following command:

# semodule -l | grep boks

If they are not installed, try re-running the BoKS SELinux setup script and then restarting BoKS:

# boksadm -S

BoKS# /opt/boksm/sbin/setup_selinux.sh

BoKS# Boot

** NOTE **

BoKS SELinux configuration requires the semanage command. This command may not be installed by default with your Linux distribution, or the installation options you chose when building the OS. If the command is missing, the setup_selinux.sh script will produce the following error:

The command "semanage" is needed to setup BoKS in an

SELinux enabled environment. On RHEL 6 this tool is

provided by the package policycoreutils-python.

You must install the policycoreutils-python package and then re-run the setup_selinux.sh script.

Once you have the SELinux module and policies installed correctly, try the console login again.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018