Bug 444898
| Summary: | SE-Linux vs. pam | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | shiv <shiv> |
| Component: | pam | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.0.8-102.fc8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-10-01 10:01:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/cpu/1/msr, restorecon -v '/dev/cpu/1/msr' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. pam_console_apply should be able to getattr cpu_device_t You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-102.fc8 |
Source Context: system_u:system_r:pam_console_t:s0-s0:c0.c1023Target Context: system_u:object_r:cpu_device_t:s0Target Objects: /dev/cpu/1/msr [ chr_file ]Source: pam_console_appSource Path: /sbin/pam_console_applyPort: <Unknown>Host: sobolevSource RPM Packages: pam-0.99.8.1-17.1.fc8Target RPM Packages: Policy RPM: selinux-policy-3.0.8-98.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchall_fileHost Name: sobolevPlatform: Linux sobolev 2.6.24.5-85.fc8 #1 SMP Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64Alert Count: 1First Seen: Thu 01 May 2008 09:14:11 AM PDTLast Seen: Thu 01 May 2008 09:14:11 AM PDTLocal ID: 92a10298-10e8-495b-85ca-ea395388d8cdLine Numbers: Raw Audit Messages :host=sobolev type=AVC msg=audit(1209658451.363:39): avc: denied { getattr } for pid=12959 comm="pam_console_app" path="/dev/cpu/1/msr" dev=tmpfs ino=122003 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file host=sobolev type=SYSCALL msg=audit(1209658451.363:39): arch=c000003e syscall=4 success=no exit=-13 a0=810540 a1=7fff01338d30 a2=7fff01338d30 a3=349a3529f0 items=0 ppid=12957 pid=12959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pam_console_app" exe="/sbin/pam_console_apply" subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)