Bug 138764 - SELinux FAQ - terminal device tty unlabeled or mislabeled
SELinux FAQ - terminal device tty unlabeled or mislabeled
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
Depends On:
Blocks: 118757
  Show dependency treegraph
Reported: 2004-11-10 19:56 EST by Karsten Wade
Modified: 2009-02-27 16:28 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-27 16:28:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2004-11-10 19:56:02 EST
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

Consider for addition to FAQ, if there continues to be interest in
SELinux on FC2 ...

<lockdown> ecute_no_trans } for  pid=2750 exe=/usr/sbin/prelink
path=/lib/ld-2.3.3.so dev=h
<lockdown> da1 ino=32080 scontext=system_u:system_r:prelink_t
<lockdown> _so_t tclass=file
<lockdown> that error I got from last nights cron so i added allow
prelink_t ld_so_t:file { execute_no_trans }; to custom.te and did a
make,  the make gave the following errors:
<lockdown> kernel: audit(1099766943.388:0): avc:  denied  { re
<lockdown> ad write } for  pid=3011 exe=/usr/bin/checkpolicy
path=/dev/tty2 dev=hda1 ino=26
<lockdown> 786 scontext=root:sysadm_r:checkpolicy_t
<lockdown>  tclass=chr_file
<lockdown> kernel: audit(1099766955.563:0): avc:  denied  { write }
for  pid=3018 exe=/usr/bin/checkpolicy path=/ dev=hda1 ino=5901
scontext=root:sysadm_r:checkpolicy_t tcontext=system_u:object_r:root_t
<lockdown> should I just write rules allowing that?
<etbe> lockdown: Is that on FC2?  FC3 has policy to allow prelink_t
execute_no_trans access to ld_so_t...
<lockdown> yeah this is fc2
<etbe> lockdown: So you are logged on in tty2 when you run
checkpolicy?  Your terminal device is not labeled.  Did you run
setfiles in permissive mode and tell it to label /dev?
<lockdown> yeah I ran the make command on tty2,  didn't run setfiles
<etbe> root_t:chr_file?  That's pretty messed up, especially when the
path is described as "/".
<lockdown> its pretty much a clean install with a just a yum update
<etbe> lockdown: Logout and login again.  Run "ls -lZ `tty` " and you
should see the type as sysadm_tty_device_t.
<etbe> lockdown: We haven't done much testing of SE Linux with the
updates to FC2.  Maybe some of the updates broke things.  Installing
FC3T3 or FC3-rc would make things much easier for you...
<etbe> lockdown: Of course you'll learn a lot more about SE Linux by
starting with FC2.  ;)
<lockdown> I am gonna install fc3 final when I get it,  I'm just
playing around till then,  so its not a big deal
<etbe> lockdown: OK.  Do you get the correct context for the terminal
after logging out and logging in again?
<lockdown> I logged out of both tty1 and tty2 logged in and on each ls
-lZ `tty`    both are root:ojbect_r:sysadm_tty_device_t
<etbe> lockdown: That's what you want!
<lockdown> so try make again?
<etbe> lockdown: Yes, it'll all work now.
<etbe> lockdown: You must have run something like setfiles while
logged in.  Coult be fixfiles or restorecon.  In enforcing mode they
wouldn't relabel your terminal, but in permissive they will.
<lockdown> ah, yeah i did fixfiles after installing some of the packages
<lockdown> definatly fixed that issue,  its pretty far into the make
an no errors,  last time they came immediately

Version-Release of FAQ:

selinux-faq-1.2-10 (2004-11-09-T16:20-0800)
Comment 1 Matthew Miller 2005-04-26 11:10:57 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 2 Susan Lauber 2009-02-27 16:28:44 EST
I am closing the ancient bug.

The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/

Note You need to log in before you can comment on or make changes to this bug.