Bug 1219729 - SELinux is preventing dbus-daemon from 'read, write' accesses on the chr_file /dev/pts/ptmx.
Summary: SELinux is preventing dbus-daemon from 'read, write' accesses on the chr_file...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-08 03:10 UTC by Seth Jennings
Modified: 2017-04-03 14:52 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-07-19 14:01:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Seth Jennings 2015-05-08 03:10:11 UTC 
I start a container with "machinectl start" then try to attach a terminal with "machinectl login" get:

Failed to get machine PTY: Message did not receive a reply (timeout by message bus)

And this from sealert on the audit.log:

SELinux is preventing dbus-daemon from 'read, write' accesses on the chr_file /dev/pts/ptmx.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon should be allowed read write access on the ptmx chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:devpts_t:s0
Target Objects                /dev/pts/ptmx [ chr_file ]
Source                        dbus-daemon
Source Path                   dbus-daemon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              4.0.1-300.fc22.x86_64 #1 SMP Wed Apr 29 15:48:25
                              UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-05-07 15:33:31 CDT
Last Seen                     2015-05-07 15:33:31 CDT
Local ID                      c613069f-b279-4682-bc4a-3fd39d1a6dbd

Raw Audit Messages
type=AVC msg=audit(1431030811.98:263): avc:  denied  { read write } for  pid=525 comm="dbus-daemon" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0


Hash: dbus-daemon,system_dbusd_t,devpts_t,chr_file,read,write
******************

The following policy module fixes the issue for me:

# cat dbuslocal.te 

module dbuslocal 1.0;

require {
	type devpts_t;
	type system_dbusd_t;
	class chr_file { read write };
}

#============= system_dbusd_t ==============
allow system_dbusd_t devpts_t:chr_file { read write };
Comment 1 Fedora End Of Life 2016-07-19 14:01:54 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 2 Alan Jenkins 2017-04-03 14:52:37 UTC 
I can reproduce this denial on F25.  I don't have privileges to re-open this bug.

In order to get far enough to reproduce it, I first had to run `semanage permissive -a systemd_machined_t` (and not care about a number of AVC warnings).
Note You need to log in before you can comment on or make changes to this bug.