1319821 – AVC denial appeared with the kerberized telnet daemon

Bug 1319821 - AVC denial appeared with the kerberized telnet daemon

Summary: AVC denial appeared with the kerberized telnet daemon

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-21 15:27 UTC by Patrik Kis
Modified:	2016-10-04 08:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-10-04 08:58:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Patrik Kis 2016-03-21 15:27:24 UTC

Description of problem:
The following AVC denial appeared when the the kerberized telnet client tried to log in to kerberized trelnet daemon.
The issue appeared only once.

time->Thu Mar 17 06:40:48 2016
type=PATH msg=audit(1458193248.406:114): item=0 name="/dev/pts/2" inode=5 dev=00:0b mode=020666 ouid=0 ogid=0 rdev=88:02 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL
type=CWD msg=audit(1458193248.406:114):  cwd="/"
type=SYSCALL msg=audit(1458193248.406:114): arch=c000003e syscall=2 success=no exit=-13 a0=7fc12af848e0 a1=2 a2=6 a3=7ffffc036360 items=1 ppid=18815 pid=18879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="telnetd" exe="/usr/kerberos/sbin/telnetd" subj=unconfined_u:system_r:telnetd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1458193248.406:114): avc:  denied  { read write } for  pid=18879 comm="telnetd" name="2" dev=devpts ino=5 scontext=unconfined_u:system_r:telnetd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-289.el6

How reproducible:
it happened only once

Steps to Reproduce:
1. Set up kerberos and start the kerberized telent daemon:
# chkconfig krb5-telnet on

2. Get TGT:
# kinit test-user

3. Try to telnet:

# /usr/kerberos/bin/telnet -l test-user <hostname>

Comment 2 Lukas Vrabec 2016-10-03 14:13:23 UTC

Are we able to reproduce it? 
In description is: 
How reproducible: it happened only once

Comment 3 Patrik Kis 2016-10-04 07:51:58 UTC

I can not reproduce it. I've run the test that produced this AVC denial on the released RHEL-6.8 about 100 times and the reported issue was not seen again.

Comment 4 Lukas Vrabec 2016-10-04 08:39:34 UTC

Patrik, 
THanks for testing. Do you agree on closing this issue as NOTABUG ?

Comment 5 Patrik Kis 2016-10-04 08:58:18 UTC

Sure, go ahead.

Comment 6 Lukas Vrabec 2016-10-04 08:58:52 UTC

See comment#2

Note You need to log in before you can comment on or make changes to this bug.