Bug 213277
| Summary: | AVC denial for agetty trying to open /dev/xvc0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | CC: | dwalsh, xen-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-14 15:17:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Temporary workaround # ls -lZ /dev/xvc0 crw--w---- root tty root:object_r:device_t /dev/xvc0 # semanage fcontext -a -t tty_device_t -f -c /dev/xvc0 # restorecon /dev/xvc0 # ls -lZ /dev/xvc0 crw--w---- root tty system_u:object_r:tty_device_t /dev/xvc0 Be preferrable to get the policy updated for FC5 though so it 'just works' for all users. All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy |
Description of problem: With the latest kernel errata, the Xen serial console is on /dev/xvc0, and kudzu will add a 'agetty' line to /etc/inittab to launch a login prompt on this console. Unfortunately the agetty process is dieing with an AVC denial. It appears the /dev/xvc0 device is not being labelled correctly - it has 'device_t' instead of 'tty_device_t' which the regular serial devices have. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.7-2.fc5 kernel-xenU-2.6.18-1.2200.fc5 kudzu-1.2.34.5-1 How reproducible: Always Steps to Reproduce: 1. Add 'co:2345:respawn:/sbin/agetty xvc0 9600 vt100-nav' to /etc/inittab 2. telinit q 3. Actual results: No login prompt appears on /dev/xvc0, AVC denials in logs: audit(1162292248.586:4): avc: denied { getattr } for pid=1465 comm="agetty" name="xvc0" dev=tmpfs ino=1616 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file # ls -lZ /dev/ttyS0 /dev/xvc0 crw------- root root system_u:object_r:tty_device_t /dev/ttyS0 crw--w---- root tty root:object_r:device_t /dev/xvc0 Expected results: Login prompt appears, no AVC denials Additional info: