Bug 1319821

Summary: AVC denial appeared with the kerberized telnet daemon
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: dwalsh, lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-04 08:58:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrik Kis 2016-03-21 15:27:24 UTC 
Description of problem:
The following AVC denial appeared when the the kerberized telnet client tried to log in to kerberized trelnet daemon.
The issue appeared only once.

time->Thu Mar 17 06:40:48 2016
type=PATH msg=audit(1458193248.406:114): item=0 name="/dev/pts/2" inode=5 dev=00:0b mode=020666 ouid=0 ogid=0 rdev=88:02 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL
type=CWD msg=audit(1458193248.406:114):  cwd="/"
type=SYSCALL msg=audit(1458193248.406:114): arch=c000003e syscall=2 success=no exit=-13 a0=7fc12af848e0 a1=2 a2=6 a3=7ffffc036360 items=1 ppid=18815 pid=18879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="telnetd" exe="/usr/kerberos/sbin/telnetd" subj=unconfined_u:system_r:telnetd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1458193248.406:114): avc:  denied  { read write } for  pid=18879 comm="telnetd" name="2" dev=devpts ino=5 scontext=unconfined_u:system_r:telnetd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-289.el6

How reproducible:
it happened only once

Steps to Reproduce:
1. Set up kerberos and start the kerberized telent daemon:
# chkconfig krb5-telnet on

2. Get TGT:
# kinit test-user

3. Try to telnet:

# /usr/kerberos/bin/telnet -l test-user <hostname>
Comment 2 Lukas Vrabec 2016-10-03 14:13:23 UTC 
Are we able to reproduce it? 
In description is: 
How reproducible: it happened only once
Comment 3 Patrik Kis 2016-10-04 07:51:58 UTC 
I can not reproduce it. I've run the test that produced this AVC denial on the released RHEL-6.8 about 100 times and the reported issue was not seen again.
Comment 4 Lukas Vrabec 2016-10-04 08:39:34 UTC 
Patrik, 
THanks for testing. Do you agree on closing this issue as NOTABUG ?
Comment 5 Patrik Kis 2016-10-04 08:58:18 UTC 
Sure, go ahead.
Comment 6 Lukas Vrabec 2016-10-04 08:58:52 UTC 
See comment#2