Bug 426692 - SELinux prevented /bin/su from using the terminal /dev/pts/0
SELinux prevented /bin/su from using the terminal /dev/pts/0
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-24 07:49 EST by Ed Young
Modified: 2007-12-31 08:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-31 08:06:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ed Young 2007-12-24 07:49:13 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071213 Fedora/ Firefox/

Description of problem:
I get an annoying selinux policy error when I attempt to launch a root terminal window from a user gnome session:

"SELinux prevented /bin/su from using the terminal /dev/pts/0. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean."

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Create a launcher on the gnome panel, command: gnome-terminal --geometry=80x50 --window-with-profile=Root --title=root -e 'su - root'
2.Use this launcher to launch a root window.
3.Notification area on panel shows an error.

Actual Results:
Error indicated in Notification Area on gnome panel.

Expected Results:
The gnome-terminal launches without error.

Additional info:
Source Context:  system_u:system_r:initrc_su_t:s0
Target Context:  system_u:object_r:rhgb_devpts_t:s0
Target Objects:  /dev/pts/0 [ chr_file ]
Affected RPM Packages:  coreutils-6.9-12.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-68.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  PermissivePlugin 
Name:  plugins.allow_daemons_use_tty
Host Name:  dad
Platform:  Linux dad #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count:  4
First Seen:  Mon 24 Dec 2007 01:18:15 AM EST
Last Seen:  Mon 24 Dec 2007 07:05:35 AM ESTLocal ID:  e5d4cd3e-87c7-480a-a0ae-6e520c3a478d
Line Numbers:  

Raw Audit Messages :

avc: denied { read write } for comm=su dev=devpts egid=0 euid=0 exe=/bin/su exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/pts/0 pid=2345 scontext=system_u:system_r:initrc_su_t:s0 sgid=0 subj=system_u:system_r:initrc_su_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:rhgb_devpts_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-12-31 08:06:05 EST
This looks like you have a badly mislabeled system.  You are logging in with a
bizarre context and this usually happens when your labeling is screwed up.

touch /.autorelabel; reboot 

Should fix the labeling.

Note You need to log in before you can comment on or make changes to this bug.