Bug 604012
Summary: | avc: denied { read write } for ... comm="passwd" name="ttyS0" dev=devtmpfs ... | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.0 | CC: | mgrepl |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-16 10:01:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2010-06-15 07:28:07 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. It seems that kexec has the same problem as passwd. ---- time->Tue Jun 15 05:51:42 2010 type=SYSCALL msg=audit(1276595502.547:40576): arch=c000003e syscall=59 success=yes exit=0 a0=1266ee0 a1=125f150 a2=1266ff0 a3=20 items=0 ppid=14499 pid=14502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="kexec" exe="/sbin/kexec" subj=unconfined_u:system_r:kdump_t:s0 key=(null) type=AVC msg=audit(1276595502.547:40576): avc: denied { read append } for pid=14502 comm="kexec" path="/dev/ttyS0" dev=devtmpfs ino=5009 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file type=AVC msg=audit(1276595502.547:40576): avc: denied { read write } for pid=14502 comm="kexec" name="ttyS0" dev=devtmpfs ino=5009 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file ---- Why did you run restorecon -R -v /dev? THis causes the /dev/ttyS0 to be set back to the default label causing these avc messages. When you login, the login program labels the tty to match the process. If you run restorecon it sets it back to the state of a user not being logged in. You should never need to run restorecon on /dev. Udev manages that directory. I think I should close this as not a bug. I'm sorry I didn't know that udev also manages SELinux labels in /dev. Agreed - not a bug. I am closing it as NOTABUG. |