Bug 365851 - vpnc debugging fails to open/use pty
vpnc debugging fails to open/use pty
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-04 10:40 EST by David Woodhouse
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 44
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-05 11:54:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2007-11-04 10:40:09 EST
With 'setenforce 0' I get debug output from vpnc. Part of the strace looks like
this:

-fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0

... and later it writes debug information to stdout. With 'setenforce 1' I
repeat exactly the same command, and the relevant part of the strace looks like
this:

+fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
+ioctl(1, TCGETS, 0xffec4d58)            = -1 ENOTTY (Inappropriate ioctl for
device)

I get an associated denial: 
audit(1194190616.960:119): avc:  denied  { use } for  pid=2333 comm="vpnc"
path="/dev/pts/1" dev=devpts ino=3 scontext=root:system_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd

and no debug output.
Comment 1 Tomas Mraz 2007-11-05 03:18:05 EST
What 'getsebool allow_daemons_use_tty' prints?
Comment 2 David Woodhouse 2007-11-05 10:36:38 EST
[root@ps3 ~]# getsebool allow_daemons_use_tty
allow_daemons_use_tty --> off
[root@ps3 ~]# setsebool allow_daemons_use_tty on

Doesn't help.
Comment 3 Tomas Mraz 2007-11-05 10:55:50 EST
It should -> selinux-policy.
Comment 4 Daniel Walsh 2007-11-05 11:54:52 EST
What version of selinux policy are you seeing this with?

 rpm -q selinux-policy
selinux-policy-3.0.8-44.fc8

 audit2why <  /tmp/t
audit(1194190616.960:119): avc:  denied  { use } for  pid=2333 comm="vpnc"
path="/dev/pts/1" dev=devpts ino=3 scontext=root:system_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.

So I believe this is fixed in the latest policy.
Comment 5 David Woodhouse 2007-11-05 13:45:50 EST
This seems to be the case. I seem to have updated my PS3 just before the latest
policy hit my local mirror. Thanks.

Note You need to log in before you can comment on or make changes to this bug.