Bug 181818
Summary: | SELinux default targeted policy blocks talk (in.ntalkd) from working | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wayne Pollock <pollock> | ||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4 | CC: | jon.fairbairn, mitr | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-05-09 19:18:47 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Wayne Pollock
2006-02-16 20:39:38 UTC
Thanks! From testing at the console it seems it will be necessary to allow also tty_device_t:chr_file write. Note that the work-around rules seem to allow any xinetd service this access, not just the talk daemon. When officially modifying the targeted policy, I hope someone with more skill than I have will research this to only put in the minimum set of rules. I note in passing that Fedora Core 4 seems to ship with three different talk daemons, talkd, ntalkd, and ktalkd, but I have no idea what the differences might be. There appears to be a boolean for ktalk, but I don't know what it is for. Finally, remember that ntalkd (at least) needs permissions to create its log file and packet capture file, when the -d and -p options are used. When the proper set of minimal rules are known, please add them to this bug report as a better work-around, until the next release of the targeted (and strict?) policy that includes them. Did you try setting chcon -t ktalkd_exec_t /usr/sbin/in.talkd Or whatever path it has? Nope. All I did was run audit2allow and add the rules it said it wanted. I know these aren't the best set for this, but I'm not an SELinux expert and it only had to work as a temporary work-around, so I haven't researched the issue any futher once talk started working. I leave finding the best fix to you. (Only post it here when you figure it out!) I made the change in policy mentioned above. in the latest devel (rawhide) policy, So could you try it and make sure it works. If it does I will make the same change in FC4. I can see no change with selinux-policy-targeted-2.2.20-1. Changing the type to ktalkd_exec_t doesn't help either: type=AVC msg=audit(1140741294.248:20): avc: denied { read } for pid=1416 comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311 scontext=root:system_r:ktalkd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1140741294.248:20): arch=40000003 syscall=5 success=no exit=-13 a0=fbff12 a1=0 a2=1 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" type=CWD msg=audit(1140741294.248:20): cwd="/dev" type=PATH msg=audit(1140741294.248:20): item=0 name="/var/run/utmp" flags=101 inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 type=AVC msg=audit(1140741294.272:21): avc: denied { read } for pid=1416 comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311 scontext=root:system_r:ktalkd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1140741294.272:21): arch=40000003 syscall=5 success=no exit=-13 a0=fbff12 a1=0 a2=0 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" type=CWD msg=audit(1140741294.272:21): cwd="/dev" type=PATH msg=audit(1140741294.272:21): item=0 name="/var/run/utmp" flags=101 inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 DOes the application work? IE Is it generating these AVC messages but still working? No, the client reports roughly "user root is not logged in". Ok can you setenforce 0 and then tell me if additional avc messages are generated? If you want to get it working now, you can build a loadable policy module to add this rule by executing # audit2allow -M talkd -i /var/log/audit/audit.log # semodule -i talkd.pp Created attachment 125375 [details]
module for running in.ntalkd from xinitrc
The attached module allows running in.ntalkd as inetd_child_t.
Running as ktalkd requires all of the "allow" rules except for the
initrc_var_run_t one.
Created attachment 125446 [details]
Allow writing to /var/log/talkd.{log,packets}
An additional module, to allow the debug output. I'm not sure we want this
one,
it probably allows too much and the logs are really for debugging talkd.
*** Bug 183995 has been marked as a duplicate of this bug. *** |