Bug 503130

Summary: SELinux prevented groupadd/load_policy from using the terminal tty0
Product: [Fedora] Fedora Reporter: Allen Kistler <ackistler>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-21 21:29:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Allen Kistler 2009-05-29 05:24:04 UTC 
Description of problem:
Updating packages run embedded scripts that seem to need some additional type enforcement rules

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11.noarch

(a previous policy really generated the denials, but audit2why verifies this one would as well)

How reproducible:
Always (?)

Steps to Reproduce:
1. yum update for the affected packages (see below)
  
Actual results:
AVC denials (see below)

Expected results:
No AVC denials

Additional info:

node=ack607 type=AVC msg=audit(1243495986.517:11): avc:  denied  { read write } for  pid=1905 comm="groupadd" name="tty0" dev=tmpfs ino=434 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=ack607 type=AVC msg=audit(1243496054.634:14): avc:  denied  { read write } for  pid=2031 comm="load_policy" name="tty0" dev=tmpfs ino=434 scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

The above audit entries correspond to the following entries from messages.

May 28 02:33:08 localhost yum: Updated: initscripts-8.95-1.i586
May 28 02:33:09 localhost setroubleshoot: SELinux prevented groupadd from using the terminal tty0.
May 28 02:33:09 localhost kernel: udev: starting version 141
May 28 02:33:09 localhost yum: Updated: udev-141-3.fc11.i586

May 28 02:33:54 localhost yum: Updated: selinux-policy-3.6.12-39.fc11.noarch
May 28 02:34:15 localhost setroubleshoot: SELinux prevented load_policy from using the terminal tty0.
May 28 02:34:15 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
May 28 02:34:15 localhost dbus: Reloaded configuration
May 28 02:34:16 localhost yum: Updated: selinux-policy-targeted-3.6.12-39.fc11.noarch
Comment 1 Bug Zapper 2009-06-09 16:45:01 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Daniel Walsh 2009-08-21 21:29:17 UTC 
Seems to be fixed in F11 release.