Bug 845033
| Summary: | selinux policy for iucvtty | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Juran <djuran> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.3 | CC: | dwalsh, mmalik, mtruneck | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-188.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-02-21 08:27:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 601759 [details]
Module that solves the problem
The attached module (mainly by Dan Walsh) solves the problem
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: On zLinux (s390x) there is a way to communicate between two VM:s running on the same hypervisor using iucvcon (on the connecting side) and iucvtty (on the receiver). These utilities are part of our s390utils package. However, if selinux is enabled (well enforcing of course), all of this fails since iucvtty won't be allowed to transition out of the init_t domain. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-155.el6_3 How reproducible: Every time Steps to Reproduce: 1. from another VM on the same hypervisor run iucvconn <target vm> <target terminal> Actual results: May 30 10:37:44 zlin1006 kernel: type=1400 audit(1338367064.593:28): avc: denied { transition } for pid=27030 comm="login" path="/lib64/security/pam_krb5/pam_krb5_storetmp" dev=dm-0 ino=137345 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Expected results: No AVC Additional info: As recommended in the iucvtty man-page, I'm starting iucvtty from the inittab (well /etc/init, this is RHEL6)