Description of problem: I saw this error when I finished "yum update". SELinux is preventing /usr/sbin/rsyslogd from 'open' accesses on the chr_file /dev/pts/0. ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow logging to syslogd use tty Then you must tell SELinux about this by enabling the 'logging_syslogd_use_tty' boolean. You can read 'None' man page for more details. Do setsebool -P logging_syslogd_use_tty 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow daemons to use tty Then you must tell SELinux about this by enabling the 'daemons_use_tty' boolean. You can read 'None' man page for more details. Do setsebool -P daemons_use_tty 1 ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that rsyslogd should be allowed open access on the 0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep 72733A6D61696E20513A526567 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context unconfined_u:object_r:user_devpts_t:s0 Target Objects /dev/pts/0 [ chr_file ] Source 72733A6D61696E20513A526567 Source Path /usr/sbin/rsyslogd Port <Unknown> Host (removed) Source RPM Packages rsyslog-7.4.2-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.11.9-300.fc20.x86_64 #1 SMP Wed Nov 20 22:23:25 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-12-05 19:03:32 CET Last Seen 2013-12-05 19:03:32 CET Local ID 9d10f9fb-2374-4e12-b932-b6a6843b02cf Raw Audit Messages type=AVC msg=audit(1386266612.841:5691): avc: denied { open } for pid=853 comm=72733A6D61696E20513A526567 path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1386266612.841:5691): arch=x86_64 syscall=open success=yes exit=ETXTBSY a0=7f99261d7650 a1=901 a2=8 a3=1 items=0 ppid=1 pid=853 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=72733A6D61696E20513A526567 exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) Hash: 72733A6D61696E20513A526567,syslogd_t,user_devpts_t,chr_file,open Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.9-300.fc20.x86_64 type: libreport Potential duplicate: bug 730987
Might be related to the latest re-appearance of bug 781807.
Not sure why that is. Translating the AVC shows. type=SYSCALL msg=audit(12/05/2013 13:03:32.841:5691) : arch=unknown elf type(x86_64) syscall=read success=yes exit=ETXTBSY a0=0x7f99261d7650 a1=0x901 a2=0x8 a3=0x1 items=0 ppid=1 pid=853 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=rs:main Q:Reg exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(12/05/2013 13:03:32.841:5691) : avc: denied { open } for pid=853 comm=rs:main Q:Reg path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file Any idea why rsyslog would be trying to talk to a user terminal? Also what is "rs:main Q:Reg"
(In reply to Daniel Walsh from comment #2) > Any idea why rsyslog would be trying to talk to a user terminal? Messages with the "emergency" severity go to all terminals per the default configuration. rsyslog.conf: > # Everybody gets emergency messages > *.emerg :omusrmsg:* Looking at the other BZ, the messages came from packagekit. Given that this is the default configuration, rsyslog should probably be allowed to write to terminals. > Also what is "rs:main Q:Reg" There are multiple threads handling the individual message queues. This looks like the "main message queue" thread.
I'll just switch this back to selinux-policy. I'd say it's desirable to allow this usecase.
Turning on the logging_syslogd_use_tty boolean would allow this. setsebool -P logging_syslogd_use_tty 1 I guess we could turn this on by default.
commit 9c3b38d294ab23b4077edd81533ba63153d1b6c9 Author: Miroslav Grepl <mgrepl> Date: Tue Jan 7 15:28:55 2014 +0100 Turn on logging_syslogd_use_tty by default
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.