Bug 426692 - SELinux prevented /bin/su from using the terminal /dev/pts/0
Summary: SELinux prevented /bin/su from using the terminal /dev/pts/0
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-24 12:49 UTC by Ed Young
Modified: 2007-12-31 13:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-31 13:06:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ed Young 2007-12-24 12:49:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10

Description of problem:
I get an annoying selinux policy error when I attempt to launch a root terminal window from a user gnome session:

"SELinux prevented /bin/su from using the terminal /dev/pts/0. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean."

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-68.fc8

How reproducible:
Always


Steps to Reproduce:
1.Create a launcher on the gnome panel, command: gnome-terminal --geometry=80x50 --window-with-profile=Root --title=root -e 'su - root'
2.Use this launcher to launch a root window.
3.Notification area on panel shows an error.

Actual Results:
Error indicated in Notification Area on gnome panel.

Expected Results:
The gnome-terminal launches without error.

Additional info:
Source Context:  system_u:system_r:initrc_su_t:s0
Target Context:  system_u:object_r:rhgb_devpts_t:s0
Target Objects:  /dev/pts/0 [ chr_file ]
Affected RPM Packages:  coreutils-6.9-12.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-68.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  PermissivePlugin 
Name:  plugins.allow_daemons_use_tty
Host Name:  dad
Platform:  Linux dad 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count:  4
First Seen:  Mon 24 Dec 2007 01:18:15 AM EST
Last Seen:  Mon 24 Dec 2007 07:05:35 AM ESTLocal ID:  e5d4cd3e-87c7-480a-a0ae-6e520c3a478d
Line Numbers:  

Raw Audit Messages :

avc: denied { read write } for comm=su dev=devpts egid=0 euid=0 exe=/bin/su exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/pts/0 pid=2345 scontext=system_u:system_r:initrc_su_t:s0 sgid=0 subj=system_u:system_r:initrc_su_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:rhgb_devpts_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-12-31 13:06:05 UTC
This looks like you have a badly mislabeled system.  You are logging in with a
bizarre context and this usually happens when your labeling is screwed up.

touch /.autorelabel; reboot 

Should fix the labeling.


Note You need to log in before you can comment on or make changes to this bug.