Bug 604012

Summary: avc: denied { read write } for ... comm="passwd" name="ttyS0" dev=devtmpfs ...
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-16 10:01:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Milos Malik 2010-06-15 07:28:07 UTC
Description of problem:
Several tests I executed yesterday reported the same AVC.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-24.el6.noarch
selinux-policy-targeted-3.7.19-24.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
--
type=SYSCALL msg=audit(1276527987.977:48427): arch=c000003e syscall=59 success=yes exit=0 a0=2860220 a1=2865b90 a2=285e0a0 a3=20 items=0 ppid=24494 pid=24558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1276527987.977:48427): avc:  denied  { read write } for  pid=24558 comm="passwd" name="ttyS0" dev=devtmpfs ino=5043 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
--

Expected results:
no AVCs

Comment 2 RHEL Product and Program Management 2010-06-15 07:53:12 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Milos Malik 2010-06-15 11:43:43 UTC
It seems that kexec has the same problem as passwd.

----
time->Tue Jun 15 05:51:42 2010
type=SYSCALL msg=audit(1276595502.547:40576): arch=c000003e syscall=59 success=yes exit=0 a0=1266ee0 a1=125f150 a2=1266ff0 a3=20 items=0 ppid=14499 pid=14502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="kexec" exe="/sbin/kexec" subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1276595502.547:40576): avc:  denied  { read append } for  pid=14502 comm="kexec" path="/dev/ttyS0" dev=devtmpfs ino=5009 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1276595502.547:40576): avc:  denied  { read write } for  pid=14502 comm="kexec" name="ttyS0" dev=devtmpfs ino=5009 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
----

Comment 5 Daniel Walsh 2010-06-15 20:33:48 UTC
Why did you run restorecon -R -v /dev?  THis causes the /dev/ttyS0 to be set back to the default label causing these avc messages.

When you login, the login program labels the tty to match the process.  If you run restorecon it sets it back to the state of a user not being logged in.

You should never need to run restorecon on /dev.  Udev manages that directory.

I think I should close this as not a bug.

Comment 6 Milos Malik 2010-06-16 05:51:09 UTC
I'm sorry I didn't know that udev also manages SELinux labels in /dev. Agreed - not a bug.

Comment 7 Miroslav Grepl 2010-06-16 10:01:48 UTC
I am closing it as NOTABUG.