Bug 417291

Summary: SELinux message for
Product: [Fedora] Fedora Reporter: Nils Hammar <u60149431>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:18:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Hammar 2007-12-09 15:59:54 UTC 
Description of problem:
avc: denied { read write } for comm=unix_chkpwd

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-62.fc8

How reproducible:
Always

Steps to Reproduce:
1. Open a telnet session and log in.
2. Message "setroubleshoot: #012    SELinux prevented /sbin/unix_chkpwd from
using the terminal <Unknown>.#012     For complete SELinux messages. run sealert
-l 88ecc162-adf0-406c-b611-a880ec73f5f5" appears in /var/log/messages.
  
Actual results:
Login succeeds, but the log message is annoying.

Expected results:
No log message.

Additional info:
[root@xxx ~]# sealert -l 88ecc162-adf0-406c-b611-a880ec73f5f5
Summary
    SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>.

Detailed Description
    SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>. In
    most cases daemons do not need to interact with the terminal, usually these
    avc messages can be ignored.  All of the confined daemons should have
    dontaudit rules around using the terminal.  Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
    policy.  If you would like to allow all daemons to interact with the
    terminal, you can turn on the allow_daemons_use_tty boolean.

Allowing Access
    Changing the "allow_daemons_use_tty" boolean to true will allow this access:
    "setsebool -P allow_daemons_use_tty=1."

    The following command will allow this access:
    setsebool -P allow_daemons_use_tty=1

Additional Information        

Source Context                system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:telnetd_devpts_t:s0
Target Objects                None [ chr_file ]
Affected RPM Packages         pam-0.99.8.1-10.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-62.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_daemons_use_tty
Host Name                     xxx.int.*.com
Platform                      Linux xxx.int.*.com 2.6.23.8-63.fc8 #1 SMP
                              Wed Nov 21 18:51:08 EST 2007 i686 i686
Alert Count                   66
First Seen                    Tue Dec  4 02:09:21 2007
Last Seen                     Sun Dec  9 16:53:59 2007
Local ID                      88ecc162-adf0-406c-b611-a880ec73f5f5
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=unix_chkpwd dev=devpts egid=0 euid=0
exe=/sbin/unix_chkpwd exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=4 pid=3200
scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:telnetd_devpts_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-12-10 14:35:07 UTC 
These can be safely ignored, and will be dontaudited in the next release.

Fixed in selinux-policy-3.0.8-68.fc8
Comment 2 Daniel Walsh 2008-01-30 19:18:55 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.