Bug 181818 - SELinux default targeted policy blocks talk (in.ntalkd) from working
Summary: SELinux default targeted policy blocks talk (in.ntalkd) from working
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 183995 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-02-16 20:39 UTC by Wayne Pollock
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-09 19:18:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
module for running in.ntalkd from xinitrc (458 bytes, text/plain)
2006-02-28 04:00 UTC, Miloslav Trmač
no flags Details
Allow writing to /var/log/talkd.{log,packets} (237 bytes, text/plain)
2006-03-01 05:03 UTC, Miloslav Trmač
no flags Details

Description Wayne Pollock 2006-02-16 20:39:38 UTC
Description of problem:

The default rules of the targeted SELinux policy block talk from working,
by blocking the talk daemon (ntalkd, or in.ntalkd) from accessing utemp and /dev.

Version-Release number of selected component (if applicable):


How reproducible:

Always.

Steps to Reproduce:
1. Enable ntalk daemon (edit /etc/xinetd.d/ntalk, and change "disable = yes" to
"disable = no"

2. reload/restart xinetd ("/etc/init.d/xinetd reload").

3. mesg y

4. open another session, say for "user", mesg y there too.

5. talk user

  
Actual results:

Various error meesages about how "user" isn't logged on, or other errors
reported in the logs.

Expected results:

talk session should start

Additional info:

Work-around:

Running audit2allow I found the following rules sufficient to enable talk to
work.  These rules were added to the
/etc/selinux/targeted/src/policy/domains/misc/local.te file:

  # Added rules from audit2allow, to enable in.ntalkd to work:
  allow inetd_child_t initrc_var_run_t:file { read write };
  allow inetd_child_t initrc_var_run_t:file lock;
  allow inetd_child_t devpts_t:dir search;
  allow inetd_child_t devpts_t:chr_file getattr;
  allow inetd_child_t devpts_t:chr_file write;

(Note the talk daemon supports a debug option, to create a /var/log/talkd.log
file, however this is also blocked.  I didn't bother to find the rule to
allow that, but it too should be added to the default targeted policy.)

Once these rules were added, you can rebuild the targeted policy with:

                cd /etc/selinux/targeted/src/policy;
                make policy install load

Comment 1 Miloslav Trmač 2006-02-16 22:37:38 UTC
Thanks!  From testing at the console it seems it will be necessary to allow also
tty_device_t:chr_file write.


Comment 2 Wayne Pollock 2006-02-17 05:25:44 UTC
Note that the work-around rules seem to allow any xinetd service this access,
not just the talk daemon.  When officially modifying the targeted policy, I hope
someone with more skill than I have will research this to only put in the
minimum set of rules.  I note in passing that Fedora Core 4 seems to ship with
three different talk daemons, talkd, ntalkd, and ktalkd, but I have no idea what
the differences might be.  There appears to be a boolean for ktalk, but I don't
know what it is for.  Finally, remember that ntalkd (at least) needs permissions
to create its log file and packet capture file, when the -d and -p options are used.

When the proper set of minimal rules are known, please add them to this bug
report as a better work-around, until the next release of the targeted (and
strict?) policy that includes them.

Comment 3 Daniel Walsh 2006-02-17 19:22:44 UTC
Did you try setting 

chcon -t ktalkd_exec_t /usr/sbin/in.talkd 
Or whatever path it has?

Comment 4 Wayne Pollock 2006-02-17 22:26:50 UTC
Nope.  All I did was run audit2allow and add the rules it said it wanted.  I
know these aren't the best set for this, but I'm not an SELinux expert and it
only had to work as a temporary work-around, so I haven't researched the issue
any futher once talk started working.  I leave finding the best fix to you. 
(Only post it here when you figure it out!)

Comment 5 Daniel Walsh 2006-02-20 16:48:24 UTC
I made the change in policy mentioned above.  in the latest devel (rawhide)
policy, So could you try it and make sure it works.  If it does I will make the
same change in FC4.



Comment 6 Miloslav Trmač 2006-02-24 00:34:39 UTC
I can see no change with selinux-policy-targeted-2.2.20-1.

Changing the type to ktalkd_exec_t doesn't help either:

type=AVC msg=audit(1140741294.248:20): avc:  denied  { read } for  pid=1416
comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311
scontext=root:system_r:ktalkd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1140741294.248:20): arch=40000003 syscall=5 success=no
exit=-13 a0=fbff12 a1=0 a2=1 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5
euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd"
exe="/usr/sbin/in.ntalkd"
type=CWD msg=audit(1140741294.248:20):  cwd="/dev"
type=PATH msg=audit(1140741294.248:20): item=0 name="/var/run/utmp" flags=101 
inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00
type=AVC msg=audit(1140741294.272:21): avc:  denied  { read } for  pid=1416
comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311
scontext=root:system_r:ktalkd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1140741294.272:21): arch=40000003 syscall=5 success=no
exit=-13 a0=fbff12 a1=0 a2=0 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5
euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd"
exe="/usr/sbin/in.ntalkd"
type=CWD msg=audit(1140741294.272:21):  cwd="/dev"
type=PATH msg=audit(1140741294.272:21): item=0 name="/var/run/utmp" flags=101 
inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00


Comment 7 Daniel Walsh 2006-02-24 13:36:00 UTC
DOes the application work?  IE Is it generating these AVC messages but still 
working?

Comment 8 Miloslav Trmač 2006-02-24 13:47:56 UTC
No, the client reports roughly "user root is not logged in".

Comment 9 Daniel Walsh 2006-02-24 14:36:42 UTC
Ok can you setenforce 0 and then tell me if additional avc messages are generated?

If you want to get it working now,  you can build a loadable policy module to
add this rule by executing

# audit2allow -M talkd -i /var/log/audit/audit.log
# semodule -i talkd.pp


Comment 10 Miloslav Trmač 2006-02-28 04:00:43 UTC
Created attachment 125375 [details]
module for running in.ntalkd from xinitrc

The attached module allows running in.ntalkd as inetd_child_t.
Running as ktalkd requires all of the "allow" rules except for the
initrc_var_run_t one.

Comment 11 Miloslav Trmač 2006-03-01 05:03:17 UTC
Created attachment 125446 [details]
Allow writing to /var/log/talkd.{log,packets}

An additional module, to allow the debug output.  I'm not sure we want this
one,
it probably allows too much and the logs are really for debugging talkd.

Comment 12 Miloslav Trmač 2006-03-04 22:51:26 UTC
*** Bug 183995 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.