Bug 735556
Summary: | SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | zxcv <Dietrich.Lolz> |
Component: | util-linux | Assignee: | Karel Zak <kzak> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | dominick.grift, dwalsh, jonathan, kzak, mgrepl, msava, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:085c1ad835ae88607877758f73493aa3e6ed7e946bf6208c019c0992cf589264 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-01-10 12:05:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
zxcv
2011-09-03 14:46:15 UTC
Does everything work as you expect? *** Bug 735557 has been marked as a duplicate of this bug. *** *** Bug 735558 has been marked as a duplicate of this bug. *** *** Bug 735559 has been marked as a duplicate of this bug. *** *** Bug 735560 has been marked as a duplicate of this bug. *** *** Bug 735561 has been marked as a duplicate of this bug. *** *** Bug 735562 has been marked as a duplicate of this bug. *** *** Bug 735563 has been marked as a duplicate of this bug. *** *** Bug 735564 has been marked as a duplicate of this bug. *** *** Bug 735565 has been marked as a duplicate of this bug. *** *** Bug 735566 has been marked as a duplicate of this bug. *** *** Bug 735567 has been marked as a duplicate of this bug. *** *** Bug 735568 has been marked as a duplicate of this bug. *** *** Bug 735570 has been marked as a duplicate of this bug. *** *** Bug 735571 has been marked as a duplicate of this bug. *** *** Bug 735572 has been marked as a duplicate of this bug. *** *** Bug 735573 has been marked as a duplicate of this bug. *** *** Bug 735574 has been marked as a duplicate of this bug. *** *** Bug 735575 has been marked as a duplicate of this bug. *** *** Bug 735576 has been marked as a duplicate of this bug. *** *** Bug 735577 has been marked as a duplicate of this bug. *** *** Bug 735578 has been marked as a duplicate of this bug. *** *** Bug 735579 has been marked as a duplicate of this bug. *** *** Bug 735581 has been marked as a duplicate of this bug. *** *** Bug 735582 has been marked as a duplicate of this bug. *** *** Bug 735583 has been marked as a duplicate of this bug. *** PLEASE do not just hit report bug like this, it just becomes a pain for us to handle. If you see lots of AVC messages all related to the same problem, please report one bug and then tell us you got lots of AVC's. This will make us a lot more efficient. util-linux guys, any idea why chfn would stat every device? Miroslav since we already have dev_dontaudit_getattr_all(useradd_t) this is probably the same problem, and we should just add dev_dontaudit_getattr_all(chfn_t) (In reply to comment #28) > util-linux guys, any idea why chfn would stat every device? I don't understand the question. It doesn't work with devices. try strace -e open,stat,fstat -o ~/log chfn or send complete strace. Probably a rogue pam module. I would figure pam_finger Is it possible that this is the ttyname() problem? And that the real solution is to allow getattr on the tty devices than to dontaudit all getattrs for these utilities? (In reply to comment #32) > Is it possible that this is the ttyname() problem? Good point. By default ttyname() reads /proc/self/fd/1 symlink, for example: readlink("/proc/self/fd/0", "/dev/pts/1", 4095) = 10 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 and if this way is unsuccessful then it scans (readdir + stat) "/dev/pts" and "/dev" directories :-( Anyway I don't see any reason why chfn(1) should not be able to read /proc/self/fd/* files. I guess it depends on what those are links to. I am not sure what the label of /dev/pts/1 is, that is triggering the problem git patch 7493a8faf03525018b2ba0531deb816aa66f60a8 Allows all of chfn, passwd, useradd, groupadd to getattr on any pty. Should show up in selinux-policy-3.10.0-46.fc16 I guess that the problem is fixed now. Closing. |