Bug 521390

The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing groupadd (groupadd_t) "read" console (console_device_t).

Description détaillée:

[groupadd has a permissive type (groupadd_t). This access was not denied.]

SELinux denied access requested by the groupadd command. It looks like this is
either a leaked descriptor or groupadd output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the console. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:console_device_t:s0
Objets du contexte            console [ chr_file ]
source                        groupadd
Chemin de la source           /usr/sbin/groupadd
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         shadow-utils-4.1.4.1-6.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.26-8.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.138.rc5.git3.fc12.x86_64
                              #1 SMP Thu Aug 6 16:59:15 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              sam. 05 sept. 2009 15:39:07 CEST
Dernière alerte              sam. 05 sept. 2009 15:39:32 CEST
ID local                      d17f5900-380a-402e-b3dc-009415cd21e8
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252157972.813:174): avc:  denied  { read } for  pid=14180 comm="groupadd" name="console" dev=tmpfs ino=1052 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1252157972.813:174): arch=c000003e syscall=59 success=yes exit=0 a0=981360 a1=9815a0 a2=97f0f0 a3=7fff84772e50 items=0 ppid=14179 pid=14180 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= groupadd_t ==============
allow groupadd_t console_device_t:chr_file read;