Bug 138764
| Summary: | SELinux FAQ - terminal device tty unlabeled or mislabeled | ||
|---|---|---|---|
| Product: | [Fedora] Fedora Documentation | Reporter: | Karsten Wade <kwade> |
| Component: | selinux-faq | Assignee: | Karsten Wade <kwade> |
| Status: | CLOSED WONTFIX | QA Contact: | Tammy Fox <tammy.c.fox> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | devel | CC: | laubersm+fedora, mattdm |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-02-27 21:28:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 118757 | ||
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match. I am closing the ancient bug. FYI The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/ and a list of proposed updates in the wiki at https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions Additional FAQ work will likely remain in the wiki but there is also a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/ |
Description of change/FAQ addition. If a change, include the original text first, then the changed text: Consider for addition to FAQ, if there continues to be interest in SELinux on FC2 ... <lockdown> ecute_no_trans } for pid=2750 exe=/usr/sbin/prelink path=/lib/ld-2.3.3.so dev=h <lockdown> da1 ino=32080 scontext=system_u:system_r:prelink_t tcontext=system_u:object_r:ld <lockdown> _so_t tclass=file <lockdown> that error I got from last nights cron so i added allow prelink_t ld_so_t:file { execute_no_trans }; to custom.te and did a make, the make gave the following errors: <lockdown> kernel: audit(1099766943.388:0): avc: denied { re <lockdown> ad write } for pid=3011 exe=/usr/bin/checkpolicy path=/dev/tty2 dev=hda1 ino=26 <lockdown> 786 scontext=root:sysadm_r:checkpolicy_t tcontext=system_u:object_r:tty_device_t <lockdown> tclass=chr_file <lockdown> kernel: audit(1099766955.563:0): avc: denied { write } for pid=3018 exe=/usr/bin/checkpolicy path=/ dev=hda1 ino=5901 scontext=root:sysadm_r:checkpolicy_t tcontext=system_u:object_r:root_t tclass=chr_file <lockdown> should I just write rules allowing that? <etbe> lockdown: Is that on FC2? FC3 has policy to allow prelink_t execute_no_trans access to ld_so_t... <lockdown> yeah this is fc2 <etbe> lockdown: So you are logged on in tty2 when you run checkpolicy? Your terminal device is not labeled. Did you run setfiles in permissive mode and tell it to label /dev? <lockdown> yeah I ran the make command on tty2, didn't run setfiles <etbe> root_t:chr_file? That's pretty messed up, especially when the path is described as "/". <lockdown> its pretty much a clean install with a just a yum update <etbe> lockdown: Logout and login again. Run "ls -lZ `tty` " and you should see the type as sysadm_tty_device_t. <etbe> lockdown: We haven't done much testing of SE Linux with the updates to FC2. Maybe some of the updates broke things. Installing FC3T3 or FC3-rc would make things much easier for you... <etbe> lockdown: Of course you'll learn a lot more about SE Linux by starting with FC2. ;) <lockdown> I am gonna install fc3 final when I get it, I'm just playing around till then, so its not a big deal <etbe> lockdown: OK. Do you get the correct context for the terminal after logging out and logging in again? <lockdown> I logged out of both tty1 and tty2 logged in and on each ls -lZ `tty` both are root:ojbect_r:sysadm_tty_device_t <etbe> lockdown: That's what you want! <lockdown> so try make again? <etbe> lockdown: Yes, it'll all work now. <etbe> lockdown: You must have run something like setfiles while logged in. Coult be fixfiles or restorecon. In enforcing mode they wouldn't relabel your terminal, but in permissive they will. <lockdown> ah, yeah i did fixfiles after installing some of the packages <lockdown> definatly fixed that issue, its pretty far into the make an no errors, last time they came immediately Version-Release of FAQ: selinux-faq-1.2-10 (2004-11-09-T16:20-0800)