With 'setenforce 0' I get debug output from vpnc. Part of the strace looks like this: -fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 ... and later it writes debug information to stdout. With 'setenforce 1' I repeat exactly the same command, and the relevant part of the strace looks like this: +fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 +ioctl(1, TCGETS, 0xffec4d58) = -1 ENOTTY (Inappropriate ioctl for device) I get an associated denial: audit(1194190616.960:119): avc: denied { use } for pid=2333 comm="vpnc" path="/dev/pts/1" dev=devpts ino=3 scontext=root:system_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd and no debug output.
What 'getsebool allow_daemons_use_tty' prints?
[root@ps3 ~]# getsebool allow_daemons_use_tty allow_daemons_use_tty --> off [root@ps3 ~]# setsebool allow_daemons_use_tty on Doesn't help.
It should -> selinux-policy.
What version of selinux policy are you seeing this with? rpm -q selinux-policy selinux-policy-3.0.8-44.fc8 audit2why < /tmp/t audit(1194190616.960:119): avc: denied { use } for pid=2333 comm="vpnc" path="/dev/pts/1" dev=devpts ino=3 scontext=root:system_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. So I believe this is fixed in the latest policy.
This seems to be the case. I seem to have updated my PS3 just before the latest policy hit my local mirror. Thanks.