Bug 765767
| Summary: | SELinux is preventing /sbin/rsyslogd from 'open' accesses on the chr_file 1. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Douglas Furlong <bugzilla_rhn> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl, prarit, theinric | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:50d77ea8bff4579ab975cd5f60cc44ce17fa6a3cde4dab62d0b0c96cdb2dacb0 | ||||||
| Fixed In Version: | selinux-policy-3.10.0-75.fc16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-02-02 17:24:59 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Douglas Furlong
2011-12-09 11:26:50 UTC
Created attachment 544487 [details]
File: description
*** Bug 765768 has been marked as a duplicate of this bug. *** Does it happen by default? Tomas, any idea why rsyslogd needs to use user pty? Douglas did you setup syslog to write to the users pty? Afternoon all Sorry for taking so long to get back to you. This was a base install without any modification. p.s. sorry for the duplicate bug post. (In reply to comment #4) > Tomas, > any idea why rsyslogd needs to use user pty? Perhaps emergency (wall) messages? (But I'm not sure how probable that is.) The command it was executing is: rs:main Q:Reg I'm able to reproduce it with
# setenforce 0
# echo l > /proc/sysrq-trigger
/var/log/audit/audit.log:
type=AVC msg=audit(1328020365.437:66): avc: denied { open } for pid=643 comm=72733A6D61696E20513A526567 name="1" dev=devpts ino=4 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
rsyslog-5.8.7-1.fc16
kernel-3.2.2-1.fc16
selinux-policy-targeted-3.10.0-72.fc16.noarch
This generates messages with priority kern.emerg<0>, kern.warning<4> and the daemon attempts to write them to all users.
This looks like a reasonable use case and probably should be allowed in the policy.
This can be allowed via a disabled boolean. I don't think this is that common, and I am not crazy about a root process that can be potentially tricked by apps to convince users to do crazy things... syslog_use_tty selinux-policy-3.10.0-75.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-75.fc16 Package selinux-policy-3.10.0-75.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-75.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1133/selinux-policy-3.10.0-75.fc16 then log in and leave karma (feedback). selinux-policy-3.10.0-75.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 784698 has been marked as a duplicate of this bug. *** |