Bug 417291 - SELinux message for
SELinux message for
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-09 10:59 EST by Nils Hammar
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:18:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nils Hammar 2007-12-09 10:59:54 EST
Description of problem:
avc: denied { read write } for comm=unix_chkpwd

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Open a telnet session and log in.
2. Message "setroubleshoot: #012    SELinux prevented /sbin/unix_chkpwd from
using the terminal <Unknown>.#012     For complete SELinux messages. run sealert
-l 88ecc162-adf0-406c-b611-a880ec73f5f5" appears in /var/log/messages.
Actual results:
Login succeeds, but the log message is annoying.

Expected results:
No log message.

Additional info:
[root@xxx ~]# sealert -l 88ecc162-adf0-406c-b611-a880ec73f5f5
    SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>.

Detailed Description
    SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>. In
    most cases daemons do not need to interact with the terminal, usually these
    avc messages can be ignored.  All of the confined daemons should have
    dontaudit rules around using the terminal.  Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
    policy.  If you would like to allow all daemons to interact with the
    terminal, you can turn on the allow_daemons_use_tty boolean.

Allowing Access
    Changing the "allow_daemons_use_tty" boolean to true will allow this access:
    "setsebool -P allow_daemons_use_tty=1."

    The following command will allow this access:
    setsebool -P allow_daemons_use_tty=1

Additional Information        

Source Context                system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:telnetd_devpts_t:s0
Target Objects                None [ chr_file ]
Affected RPM Packages         pam- [application]
Policy RPM                    selinux-policy-3.0.8-62.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_daemons_use_tty
Host Name                     xxx.int.*.com
Platform                      Linux xxx.int.*.com #1 SMP
                              Wed Nov 21 18:51:08 EST 2007 i686 i686
Alert Count                   66
First Seen                    Tue Dec  4 02:09:21 2007
Last Seen                     Sun Dec  9 16:53:59 2007
Local ID                      88ecc162-adf0-406c-b611-a880ec73f5f5
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=unix_chkpwd dev=devpts egid=0 euid=0
exe=/sbin/unix_chkpwd exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=4 pid=3200
scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:telnetd_devpts_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-12-10 09:35:07 EST
These can be safely ignored, and will be dontaudited in the next release.

Fixed in selinux-policy-3.0.8-68.fc8
Comment 2 Daniel Walsh 2008-01-30 14:18:55 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.