204986 – Errors from pam_console

Bug 204986 - Errors from pam_console

Summary: Errors from pam_console

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-09-01 20:52 UTC by Bill Nottingham
Modified:	2020-03-27 12:59 UTC (History)
CC List:	2 users (show)
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-22 14:14:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bill Nottingham 2006-09-01 20:52:26 UTC

Description of problem:

I get lots of:

audit(1157135283.604:30): avc:  denied  { read } for  pid=18194
comm="pam_console_app" name="/" dev=autofs ino=6665
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:autofs_t:s0 tclass=dir

from when pam_console looks for things in /mnt.

Either a) we should tell pam_console not to do that (things are in 
/media these days) or b) we should fix the policy.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.3.10-6
pam-0.99.6.2-1.fc6

Comment 1 Tomas Mraz 2006-09-04 06:43:59 UTC

a) is the right thing to do if we don't care much about upgrades from older FCs
where someone can have their customized mounts in /mnt which he expects to be
owned by console user.

But I'd say that policy should allow pam_console_apply to read and change things
in /mnt anyway.

Comment 2 Daniel Walsh 2006-09-18 19:18:44 UTC

Fixed in selinux-policy-2.3.14-4

Comment 3 Daniel Walsh 2007-08-22 14:14:50 UTC

Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.