Bug 681548

Summary: SELinux is preventing /sbin/mingetty "setattr" access on tty2.
Product: Red Hat Enterprise Linux 6 Reporter: Red Hat Case Diagnostics <case-diagnostics>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: setroubleshoot_trace_hash:6580d63395f7249b632059170204072fc3fe7c96f2be2c7d7c642a542f9a5c79
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-11 15:24:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Red Hat Case Diagnostics 2011-03-02 14:46:06 UTC
Summary:

SELinux is preventing /sbin/mingetty "setattr" access on tty2.

Detailed Description:

SELinux denied access requested by mingetty. It is not expected that this access
is required by mingetty and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:sysadm_t:s0
Target Context                system_u:object_r:tty_device_t:s0
Target Objects                tty2 [ chr_file ]
Source                        mingetty
Source Path                   /sbin/mingetty
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mingetty-1.08-4.1.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32-71.14.1.el6.x86_64 #1 SMP Wed Jan 5
                              17:01:01 EST 2011 x86_64 x86_64
Alert Count                   27
First Seen                    Wed 02 Mar 2011 09:33:02 AM EST
Last Seen                     Wed 02 Mar 2011 09:35:13 AM EST
Local ID                      9a5ddf43-7d20-4afd-afd0-7c4012b45b7a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1299076513.198:38818): avc:  denied  { setattr } for  pid=15635 comm="mingetty" name="tty2" dev=devtmpfs ino=5067 scontext=system_u:system_r:sysadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1299076513.198:38818): arch=c000003e syscall=92 success=no exit=-13 a0=7fff006fba40 a1=0 a2=0 a3=8 items=0 ppid=1 pid=15635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mingetty" exe="/sbin/mingetty" subj=system_u:system_r:sysadm_t:s0 key=(null)



Hash String generated from  catchall,mingetty,sysadm_t,tty_device_t,chr_file,setattr
audit2allow suggests:

#============= sysadm_t ==============
allow sysadm_t tty_device_t:chr_file setattr;

Comment 3 Daniel Walsh 2011-03-02 19:22:33 UTC
Why is sysadm_t running mingetty?