Description of problem: The default rules of the targeted SELinux policy block talk from working, by blocking the talk daemon (ntalkd, or in.ntalkd) from accessing utemp and /dev. Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1. Enable ntalk daemon (edit /etc/xinetd.d/ntalk, and change "disable = yes" to "disable = no" 2. reload/restart xinetd ("/etc/init.d/xinetd reload"). 3. mesg y 4. open another session, say for "user", mesg y there too. 5. talk user Actual results: Various error meesages about how "user" isn't logged on, or other errors reported in the logs. Expected results: talk session should start Additional info: Work-around: Running audit2allow I found the following rules sufficient to enable talk to work. These rules were added to the /etc/selinux/targeted/src/policy/domains/misc/local.te file: # Added rules from audit2allow, to enable in.ntalkd to work: allow inetd_child_t initrc_var_run_t:file { read write }; allow inetd_child_t initrc_var_run_t:file lock; allow inetd_child_t devpts_t:dir search; allow inetd_child_t devpts_t:chr_file getattr; allow inetd_child_t devpts_t:chr_file write; (Note the talk daemon supports a debug option, to create a /var/log/talkd.log file, however this is also blocked. I didn't bother to find the rule to allow that, but it too should be added to the default targeted policy.) Once these rules were added, you can rebuild the targeted policy with: cd /etc/selinux/targeted/src/policy; make policy install load
Thanks! From testing at the console it seems it will be necessary to allow also tty_device_t:chr_file write.
Note that the work-around rules seem to allow any xinetd service this access, not just the talk daemon. When officially modifying the targeted policy, I hope someone with more skill than I have will research this to only put in the minimum set of rules. I note in passing that Fedora Core 4 seems to ship with three different talk daemons, talkd, ntalkd, and ktalkd, but I have no idea what the differences might be. There appears to be a boolean for ktalk, but I don't know what it is for. Finally, remember that ntalkd (at least) needs permissions to create its log file and packet capture file, when the -d and -p options are used. When the proper set of minimal rules are known, please add them to this bug report as a better work-around, until the next release of the targeted (and strict?) policy that includes them.
Did you try setting chcon -t ktalkd_exec_t /usr/sbin/in.talkd Or whatever path it has?
Nope. All I did was run audit2allow and add the rules it said it wanted. I know these aren't the best set for this, but I'm not an SELinux expert and it only had to work as a temporary work-around, so I haven't researched the issue any futher once talk started working. I leave finding the best fix to you. (Only post it here when you figure it out!)
I made the change in policy mentioned above. in the latest devel (rawhide) policy, So could you try it and make sure it works. If it does I will make the same change in FC4.
I can see no change with selinux-policy-targeted-2.2.20-1. Changing the type to ktalkd_exec_t doesn't help either: type=AVC msg=audit(1140741294.248:20): avc: denied { read } for pid=1416 comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311 scontext=root:system_r:ktalkd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1140741294.248:20): arch=40000003 syscall=5 success=no exit=-13 a0=fbff12 a1=0 a2=1 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" type=CWD msg=audit(1140741294.248:20): cwd="/dev" type=PATH msg=audit(1140741294.248:20): item=0 name="/var/run/utmp" flags=101 inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 type=AVC msg=audit(1140741294.272:21): avc: denied { read } for pid=1416 comm="in.ntalkd" name="utmp" dev=dm-0 ino=98311 scontext=root:system_r:ktalkd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1140741294.272:21): arch=40000003 syscall=5 success=no exit=-13 a0=fbff12 a1=0 a2=0 a3=fbff18 items=1 pid=1416 auid=0 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" type=CWD msg=audit(1140741294.272:21): cwd="/dev" type=PATH msg=audit(1140741294.272:21): item=0 name="/var/run/utmp" flags=101 inode=98311 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00
DOes the application work? IE Is it generating these AVC messages but still working?
No, the client reports roughly "user root is not logged in".
Ok can you setenforce 0 and then tell me if additional avc messages are generated? If you want to get it working now, you can build a loadable policy module to add this rule by executing # audit2allow -M talkd -i /var/log/audit/audit.log # semodule -i talkd.pp
Created attachment 125375 [details] module for running in.ntalkd from xinitrc The attached module allows running in.ntalkd as inetd_child_t. Running as ktalkd requires all of the "allow" rules except for the initrc_var_run_t one.
Created attachment 125446 [details] Allow writing to /var/log/talkd.{log,packets} An additional module, to allow the debug output. I'm not sure we want this one, it probably allows too much and the logs are really for debugging talkd.
*** Bug 183995 has been marked as a duplicate of this bug. ***