Bug 123002
| Summary: | screen avc denies | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leonard den Ottolander <leonard-rh-bugzilla> | ||||
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | pgraner, twaugh | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2004-07-20 12:36:06 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 100181 [details]
policy-screen.patch
Even if screen is allowed to execute utempter, utempter fails because it can't
read/write ptmx devices. So I think this should be a dontaudit.
Fixed in selinux-policy-strict-1.13.2-7 Fixed in Rawhide |
policy-1.11.3-3, permissive mode Running screen as user causes the following denies: May 11 10:34:08 a3aan kernel: audit(1084264448.257:0): avc: denied { execute } for pid=2683 exe=/usr/bin/screen name=utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.258:0): avc: denied { execute_no_trans } for pid=2683 exe=/usr/bin/screen path=/usr/sbin/utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.258:0): avc: denied { read } for pid=2683 exe=/usr/bin/screen path=/usr/sbin/utempter dev=hda2 ino=27698 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:utempter_exec_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.298:0): avc: denied { search } for pid=2683 exe=/usr/sbin/utempter name=log dev=hda2 ino=388629 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:var_log_t tclass=dir May 11 10:34:08 a3aan kernel: audit(1084264448.300:0): avc: denied { write } for pid=2683 exe=/usr/sbin/utempter name=wtmp dev=hda2 ino=390201 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:wtmp_t tclass=file May 11 10:34:08 a3aan kernel: audit(1084264448.301:0): avc: denied { lock } for pid=2683 exe=/usr/sbin/utempter path=/var/log/wtmp dev=hda2 ino=390201 scontext=user_u:user_r:user_screen_t tcontext=system_u:object_r:wtmp_t tclass=file