Bug 145901 - selinux denies use of /dev/tty
Summary: selinux denies use of /dev/tty
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-23 16:49 UTC by Tom Lane
Modified: 2013-07-03 03:03 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-01-28 01:05:53 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tom Lane 2005-01-23 16:49:32 UTC 
Description of problem:
$ sudo /usr/sbin/setenforce 0
$ /usr/bin/postgres -V
postgres (PostgreSQL) 8.0.0

$ sudo /usr/sbin/setenforce 1
$ /usr/bin/postgres -V
$ 

/var/log/messages shows
Jan 23 11:38:22 rh1 kernel: audit(1106498302.606:0): avc:  denied  { getattr } for  
pid=4998 exe=/usr/bin/postgres path=/dev/pts/1 dev=devpts ino=3 scontext=user_u:
system_r:postgresql_t tcontext=user_u:object_r:devpts_t tclass=chr_file

This is really not acceptable ...

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.73
kernel-2.6.10-1.741_FC3

How reproducible:
100%

Steps to Reproduce:
1. See above.
2. 
3.
  
Actual results:
No output.

Expected results:
Version message as requested by -V flag.

Additional info:
Forced relabel via /.autorelabel does not help.
Comment 1 Tom Lane 2005-01-23 16:59:05 UTC 
BTW: before blowing this off as a trivial cosmetic issue, consider that help output is also 
suppressed (eg, postgres -h) and that it seems to affect all daemons not only postgres --- 
for instance try
/usr/sbin/named -h
Comment 2 Daniel Walsh 2005-01-24 19:57:26 UTC 
This is addressed in the rawhide policy, although it is fairly
difficult to fix in FC-3.  You can just pipe to cat to get the output.


/usr/bin/postgres -V | cat
postgres (PostgreSQL) 8.0.0
Comment 3 Tom Lane 2005-01-24 20:44:37 UTC 
The original complaint had to do with failing to obtain the -V output
from a popen() call, ie, popen("/usr/bin/postgres -V") returned zero
bytes.  I couldn't reproduce this locally; is it likely that some
prior version of the policy had that problem?
Comment 4 Daniel Walsh 2005-01-24 20:48:55 UTC 
Are you running rawhide policy?  Rawhide policy has fixed this problem
in that policy only takes effect when apps are run by init scripts. 
If you run a exe by hand it should not run in the protected domain. 
Moving this into FC3/RHEL4 is quite dangerous though, since extensive
changes in policy were required to make this happen.  If this becomes
a big problem in RHEL, I might have to make some major changes.

Dan
Comment 5 Tom Lane 2005-01-24 21:12:21 UTC 
No, this is all on FC3.  I'm running the currently released FC3
policy, and the original complainant said he was running FC3 also,
but I suppose it must have been an earlier policy version.

As long as the popen() case doesn't fail, this isn't a "must fix" as
far as Postgres is concerned; but I'd like to know why it did fail for
him.
Comment 6 Daniel Walsh 2005-01-26 17:57:08 UTC 
I don't know, did he get some AVC messages?

Dan
Comment 7 Tom Lane 2005-01-28 01:05:53 UTC 
I'll close this as "fixed rawhide" for now, unless I get some evidence about a
reproducible problem in FC3 current.
Note You need to log in before you can comment on or make changes to this bug.