Bug 153711 - pam_selinux.so will misreport errors on relabelling terminal devices
pam_selinux.so will misreport errors on relabelling terminal devices
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
https://www.redhat.com/archives/fedor...
:
Depends On:
Blocks: 170587
  Show dependency treegraph
 
Reported: 2005-04-05 01:44 EDT by Russell Coker
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: pam-0.79-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 03:40:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Russell Coker 2005-04-05 01:44:26 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
The below code from pam-0.78-selinux.patch has a bug.  It should use ptr  
instead of ttybuf when reporting the error so that if the strncmp() returns  
zero the correct data will be used.  This has been noted when su experiences  
sighup.  
  
+  if(strncmp("/dev/", tty, 5)) {  
+    snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty);  
+    ptr = ttybuf;  
+  }  
+  else  
+    ptr = tty;  
+  
+  if (setfilecon(ptr, context))  
+  {  
+      syslog(LOG_NOTICE,  
+             _("Warning!  Could not relabel %s with %s, not relabeling.\n"),  
+             ttybuf,context);  
+  }  
  
Also note that in the case of a kill -1 on the sshd for a ssh login it's  
normal that the /dev/pts device will be gone before su notices anything has  
happened.  So maybe ENOENT should not even be logged in this case. 
 
The URL I've given is for the fedora-selinux-list discussion of this issue. 

Version-Release number of selected component (if applicable):
pam-0.78-5

How reproducible:
Always

Steps to Reproduce:
Login via ssh and su to another account.  Then kill -1 the sshd controlling 
the session.  Note that su logs a message such as the following: 
Apr  3 11:58:51 localhost su[3659]: Warning!  Could not relabel ,
\uffff\uff7f\u0661\uffff with user_u:object_r:devpts_t, not relabeling. 
 

Additional info:
Comment 1 Tomas Mraz 2005-04-05 03:40:46 EDT
Should be fixed in the next pam build.

Note You need to log in before you can comment on or make changes to this bug.