Bug 1038746

Summary: SELinux is preventing /usr/sbin/rsyslogd from 'open' accesses on the chr_file /dev/pts/0.
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, jlieskov, lkundrak, lvrabec, mah.darade, mgrepl, theinric
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:50d77ea8bff4579ab975cd5f60cc44ce17fa6a3cde4dab62d0b0c96cdb2dacb0
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:09:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kamil Páral 2013-12-05 18:05:10 UTC 
Description of problem:
I saw this error when I finished "yum update".
SELinux is preventing /usr/sbin/rsyslogd from 'open' accesses on the chr_file /dev/pts/0.

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow logging to syslogd use tty
Then you must tell SELinux about this by enabling the 'logging_syslogd_use_tty' boolean.
You can read 'None' man page for more details.
Do
setsebool -P logging_syslogd_use_tty 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow daemons to use tty
Then you must tell SELinux about this by enabling the 'daemons_use_tty' boolean.
You can read 'None' man page for more details.
Do
setsebool -P daemons_use_tty 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that rsyslogd should be allowed open access on the 0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep 72733A6D61696E20513A526567 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                unconfined_u:object_r:user_devpts_t:s0
Target Objects                /dev/pts/0 [ chr_file ]
Source                        72733A6D61696E20513A526567
Source Path                   /usr/sbin/rsyslogd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           rsyslog-7.4.2-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.11.9-300.fc20.x86_64 #1 SMP Wed
                              Nov 20 22:23:25 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-05 19:03:32 CET
Last Seen                     2013-12-05 19:03:32 CET
Local ID                      9d10f9fb-2374-4e12-b932-b6a6843b02cf

Raw Audit Messages
type=AVC msg=audit(1386266612.841:5691): avc:  denied  { open } for  pid=853 comm=72733A6D61696E20513A526567 path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1386266612.841:5691): arch=x86_64 syscall=open success=yes exit=ETXTBSY a0=7f99261d7650 a1=901 a2=8 a3=1 items=0 ppid=1 pid=853 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=72733A6D61696E20513A526567 exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null)

Hash: 72733A6D61696E20513A526567,syslogd_t,user_devpts_t,chr_file,open

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.9-300.fc20.x86_64
type:           libreport

Potential duplicate: bug 730987
Comment 1 Kamil Páral 2013-12-05 18:48:15 UTC 
Might be related to the latest re-appearance of bug 781807.
Comment 2 Daniel Walsh 2013-12-05 20:35:08 UTC 
Not sure why that is.

Translating the AVC shows.

type=SYSCALL msg=audit(12/05/2013 13:03:32.841:5691) : arch=unknown elf type(x86_64) syscall=read success=yes exit=ETXTBSY a0=0x7f99261d7650 a1=0x901 a2=0x8 a3=0x1 items=0 ppid=1 pid=853 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=rs:main Q:Reg exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) 
type=AVC msg=audit(12/05/2013 13:03:32.841:5691) : avc:  denied  { open } for  pid=853 comm=rs:main Q:Reg path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 


Any idea why rsyslog would be trying to talk to a user terminal?  Also what is 

"rs:main Q:Reg"
Comment 3 Tomas Heinrich 2013-12-10 15:40:43 UTC 
(In reply to Daniel Walsh from comment #2)
> Any idea why rsyslog would be trying to talk to a user terminal?

Messages with the "emergency" severity go to all terminals per the default configuration.
rsyslog.conf:
> # Everybody gets emergency messages
> *.emerg  :omusrmsg:*

Looking at the other BZ, the messages came from packagekit.
Given that this is the default configuration, rsyslog should probably be allowed to write to terminals.

> Also what is "rs:main Q:Reg"

There are multiple threads handling the individual message queues. This looks like the "main message queue" thread.
Comment 4 Tomas Heinrich 2013-12-13 10:35:24 UTC 
I'll just switch this back to selinux-policy. I'd say it's desirable to allow this usecase.
Comment 5 Daniel Walsh 2013-12-16 15:58:05 UTC 
Turning on the logging_syslogd_use_tty boolean would allow this.

setsebool -P logging_syslogd_use_tty 1

I guess we could turn this on by default.
Comment 6 Miroslav Grepl 2014-01-07 14:35:34 UTC 
commit 9c3b38d294ab23b4077edd81533ba63153d1b6c9
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 7 15:28:55 2014 +0100

    Turn on logging_syslogd_use_tty by default
Comment 7 Fedora Update System 2014-01-13 22:55:16 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 8 Fedora Update System 2014-01-15 05:56:54 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-01-16 07:09:24 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.