Description of problem: avc: denied { read write } for comm=unix_chkpwd Version-Release number of selected component (if applicable): selinux-policy-3.0.8-62.fc8 How reproducible: Always Steps to Reproduce: 1. Open a telnet session and log in. 2. Message "setroubleshoot: #012 SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l 88ecc162-adf0-406c-b611-a880ec73f5f5" appears in /var/log/messages. Actual results: Login succeeds, but the log message is annoying. Expected results: No log message. Additional info: [root@xxx ~]# sealert -l 88ecc162-adf0-406c-b611-a880ec73f5f5 Summary SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>. Detailed Description SELinux prevented /sbin/unix_chkpwd from using the terminal <Unknown>. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux- policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." The following command will allow this access: setsebool -P allow_daemons_use_tty=1 Additional Information Source Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 Target Context system_u:object_r:telnetd_devpts_t:s0 Target Objects None [ chr_file ] Affected RPM Packages pam-0.99.8.1-10.fc8 [application] Policy RPM selinux-policy-3.0.8-62.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_daemons_use_tty Host Name xxx.int.*.com Platform Linux xxx.int.*.com 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 i686 Alert Count 66 First Seen Tue Dec 4 02:09:21 2007 Last Seen Sun Dec 9 16:53:59 2007 Local ID 88ecc162-adf0-406c-b611-a880ec73f5f5 Line Numbers Raw Audit Messages avc: denied { read write } for comm=unix_chkpwd dev=devpts egid=0 euid=0 exe=/sbin/unix_chkpwd exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=4 pid=3200 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 suid=0 tclass=chr_file tcontext=system_u:object_r:telnetd_devpts_t:s0 tty=(none) uid=0
These can be safely ignored, and will be dontaudited in the next release. Fixed in selinux-policy-3.0.8-68.fc8
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.