Bug 708378

Summary: SElinux prevents /usr/sbin/rwhod from reading /dev/pts/*
Product: [Fedora] Fedora Reporter: Ian Donaldson <idonaldson0>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, hhorak, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-44.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-12 11:01:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Donaldson 2011-05-27 14:09:41 UTC 
Description of problem:

rwhod sends out idle times as zero for all users if selinux is enabled

Version-Release number of selected component (if applicable):

rwho-0.17-33.fc14.x86_64
selinux-policy-targeted-3.9.7-40.fc14.noarch


How reproducible:

100%

Steps to Reproduce:
1.  rwho
2.
3.
  
Actual results:

somebody     cc04:pts/1     May 27 08:11



Expected results:

somebody     cc04:pts/1     May 27 08:11 :04


Additional info:

First reported by me in 

   https://bugzilla.redhat.com/show_bug.cgi?id=357591 

on FC7.

The problem is that rwhod running as rwho_t cannot stat /dev/pts/*
due to selinux restriction.

strace of the child rwhod process shows...

--
stat("/var/run/utmp", {st_mode=S_IFREG|0664, st_size=3840, ...}) = 0
chdir("/dev/")                          = 0
stat(":0", 0x7fffe270e180)              = -1 ENOENT (No such file or directory)
stat("pts/0", 0x7fffe270e180)           = -1 EACCES (Permission denied)
stat("pts/1", 0x7fffe270e180)           = -1 EACCES (Permission denied)
open("/proc/loadavg", O_RDONLY)         = 5
--


This ruleset fixes the problem:

---
require {
        type rwho_t;
        type user_devpts_t;
        class chr_file { getattr };
}

allow rwho_t user_devpts_t:chr_file getattr;
--
Comment 1 Dominick Grift 2011-06-02 14:05:35 UTC 
allow rwho_t to get attributes of both user_devpts_t and user_tty_device_t character files

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=8fc060c2434ae9ada59a9fd7835f1cf024168900
Comment 2 Miroslav Grepl 2011-06-07 11:33:19 UTC 
Fixed in selinux-policy-3.9.7-43.fc14
Comment 3 Fedora Update System 2011-08-04 13:58:02 UTC 
selinux-policy-3.9.7-44.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-44.fc14
Comment 4 Fedora Update System 2011-08-05 03:53:13 UTC 
Package selinux-policy-3.9.7-44.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-44.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-44.fc14
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-08-12 11:00:08 UTC 
selinux-policy-3.9.7-44.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2011-08-12 18:24:40 UTC 
selinux-policy-3.9.7-44.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.