Bug 437592
| Summary: | 'Authorization Indicator' (gold badge) invisible when SELinux mode is 'Enforcing' | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Patrick J. Maloney <patrick_maloney> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | jkubin, mitr, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-03-30 10:15:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Patrick J. Maloney
2008-03-15 01:37:57 UTC
/sbin/pam_timestamp_check is not allowed to access /var/run/utmp.
This is what auditallow produces:
allow pam_t initrc_var_run_t:file { read write lock };
but perhaps /var/run/utmp should have a different context?
Does it work if you just allow read and lock? WHich is what I will add in 94. You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-94.fc8 Yes, {read lock} is enough.
Right after the first three comments were posted, I created a custom policy
module to implement the {read lock} permissions and it worked fine. However, I
just removed that custom policy module and pulled down
selinux-policy-3.0.8-95.fc8 from updates-testing and this issue is not fixed as
of that release. If I reapply my custom policy module, it again works
correctly. Please advise.
Please attach the avc messages you are seeing without your fix applied? Where would I find those? I don't get any SE alerts (and never have even before
I reported the bug). I'm curious where Miloslav got the info on what the
problem was.
After removing my policy module, I've watched changes to
/var/log/audit/audit.log as I activated root access in a normal account and the
badge *did not* appear -- there are no USER_AVC messages. There is nothing in
secure or messages either that looks abnormal.
I'm a bit of a noob with this audit stuff, so please give a little more detail
on how to capture the data you need...thanks!
BTW, here is the policy I created (that works) based on the first three
comments...are you sure selinux-policy-3.0.8-94.fc8 and later has this?
require {
type pam_t;
type initrc_var_run_t;
class file {read lock};
}
allow pam_t initrc_var_run_t:file {read lock};
I was just poking around updates-testing to see if there was a new version of selinux-policy. There wasn't, but I noticed selinux-policy-targeted-3.0.8-95.fc8 was out there and I had not updated to it. Once I updated my selinux-policy-targeted package from updates-testing, the 'badge' now appears as it should (yes, I made sure my policy module was removed). Originally, I had only updated selinux-policy as that was all that was mentioned above. I guess I needed to update both of them. Looks like this issue has been corrected. Thanks! Question: I noticed that the Fedora 9 Beta has this problem as well. Will the fix implemented here eventually find it's way into the F9 packages or does another bug need to be opened? Thanks, Patrick All fixes go into all packages. If I see a bug report against Any release I try to fix it in all releases that it would effect. |