Bug 639230
Summary: | SELinux is preventing /usr/lib/vte/gnome-pty-helper "open" access on wtmp | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | ksrot |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-56.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-05-19 11:56:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2010-10-01 07:48:33 UTC
This time it is "lock" instead of "open". Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gnome-pty-helpe. It is not expected that this access is required by gnome-pty-helpe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context xguest_u:xguest_r:xguest_t:s0 Target Context system_u:object_r:wtmp_t:s0 Target Objects /var/log/wtmp [ file ] Source gnome-pty-helpe Source Path /usr/lib/vte/gnome-pty-helper Port <Unknown> Host localhost.localdomain Source RPM Packages vte-0.25.1-5.el6 Target RPM Packages initscripts-9.03.17-1.el6 Policy RPM selinux-policy-3.7.19-55.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32-71.el6.i686 #1 SMP Wed Sep 1 01:26:34 EDT 2010 i686 i686 Alert Count 2 First Seen Thu Sep 30 16:13:56 2010 Last Seen Fri Oct 1 09:21:52 2010 Local ID 167e198f-6c2e-469c-8034-71b50328d9e1 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285917712.382:142): avc: denied { lock } for pid=3503 comm="gnome-pty-helpe" path="/var/log/wtmp" dev=dm-0 ino=10815 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285917712.382:142): arch=40000003 syscall=221 success=yes exit=0 a0=5 a1=7 a2=bffa763c a3=bffa75b0 items=0 ppid=3502 pid=3503 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=22 sgid=22 fsgid=22 tty=(none) ses=9 comm="gnome-pty-helpe" exe="/usr/lib/vte/gnome-pty-helper" subj=xguest_u:xguest_r:xguest_t:s0 key=(null) Does this happen when you login in enforcing mode? Miroslav lets add auth_dontaudit_read_login_records($1_usertype) to userdom_restricted_xwindows_user_template Fixed in selinux-policy-3.7.19-56.el6.noarch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |