Description of problem: semanage shows no output on text console. Version-Release number of selected component (if applicable): policycoreutils-1.30.10-2.fc5 i386 selinux-policy-2.2.43-4.fc5 noarch selinux-policy-targeted-2.2.43-4.fc5 noarch How reproducible: always Steps to Reproduce: 1. Log as root to text console (tty1-tty6) 2. issue "semanage port -l" (or any other command including --help) Actual results: There is completely no output Expected results: Command output as expected. Additional info: This works on konsole under kde. ausearch -c semanage: ---- time->Fri Jun 30 09:36:08 2006 type=PATH msg=audit(1151652968.693:757): item=2 name=(null) inode=1083300 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1151652968.693:757): item=1 name=(null) inode=2555947 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(1151652968.693:757): item=0 name="/usr/sbin/semanage" inode=878768 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:semanage_exec_t:s0 type=CWD msg=audit(1151652968.693:757): cwd="/root" type=AVC_PATH msg=audit(1151652968.693:757): path="/dev/tty1" type=AVC_PATH msg=audit(1151652968.693:757): path="/dev/tty1" type=AVC_PATH msg=audit(1151652968.693:757): path="/dev/tty1" type=SYSCALL msg=audit(1151652968.693:757): arch=40000003 syscall=11 success=yes exit=0 a0=98e1008 a1=98bf0a8 a2=98e3008 a3=98e1008 items=3 pid=13097 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="semanage" exe="/bin/env" subj=root:system_r:semanage_t:s0-s0:c0.c255 type=AVC msg=audit(1151652968.693:757): avc: denied { use } for pid=13097 comm="semanage" name="tty1" dev=tmpfs ino=1113 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c255 tclass=fd type=AVC msg=audit(1151652968.693:757): avc: denied { use } for pid=13097 comm="semanage" name="tty1" dev=tmpfs ino=1113 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c255 tclass=fd type=AVC msg=audit(1151652968.693:757): avc: denied { use } for pid=13097 comm="semanage" name="tty1" dev=tmpfs ino=1113 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c255 tclass=fd
This looks like a major labeling problem. When you login you end up in local_login_t which is a severe problem. You need to relabel the system touch /.autorelabel reboot
Did that and the problem is still there. Now for the context - id for root logged on tty1 returns this: uid=0(root) gid=0(root) grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh So where is local_login_t then?? And for completness: geralt:~> ls -Z /usr/sbin/semanage -rwxr-xr-x root root system_u:object_r:semanage_exec_t /usr/sbin/semanage geralt:~> ls -Z /sbin/mingetty -rwxr-xr-x root root system_u:object_r:getty_exec_t /sbin/mingetty geralt:~> ls -Z /bin/login -rwxr-xr-x root root system_u:object_r:login_exec_t /bin/login geralt:~> ls -Z /bin/tcsh -rwxr-xr-x root root system_u:object_r:shell_exec_t /bin/tcsh /bin/tcsh is root shell (changing this to /bin/bash does not help). Now, as I see some references to tmpfs in ausearch output: geralt:~> ls -Zd /tmp /dev/shm drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm drwxrwxrwt root root system_u:object_r:tmp_t /tmp What is different to any default is that /tmp is mounted on tmpfs: tmpfs on /tmp type tmpfs (rw,size=1G)
Yes you are right I have duplicated it here. Fixed in selinux-policy-2.3.2-2