Red Hat Bugzilla – Bug 427098
newrole without tty
Last modified: 2008-09-09 13:40:26 EDT
Description of problem: Need the ability to run newrole outside of a tty
Version-Release number of selected component (if applicable): 1.34.11
Try to run a command from newrole in a background script
Steps to Reproduce:
1. Create two shell scripts, (foo1.sh, foo2.sh)
2. Have foo1.sh call foo2.sh and put into the background
3. In foo2.sh call newrole and pass it -- -c <command>
4. Verify that newrole says "Error! Could not retrieve tty information."
newrole -l SystemHigh -- -c ls /tmp
Error! Could not retrieve tty information
Newrole should run
Created attachment 290579 [details]
Patch to policycoreutils-1.34.11
Can't you do this with runcon?
Yes but I also need polyinstantiation of the tmp directory
My concern on modifying newrole, it it is only allowed to happen on a secure
terminal, for LSPP. So if you try to newrole on a pseudo terminal it will fail.
Chainging this to not require a terminal might break lSPP.
The issue for LSPP was that newrole relabels the tty/pty, and in the case of a
pty, this only relabels the slave end of the pty, not the master end, leaving
open a channel that can be used to downgrade information in violation of MLS
policy. Thus, LSPP added a check to newrole to restrict what types of ttys can
be used for level changes, and the LSPP configuration limited it to ttys rather
If there is no tty/pty with this patch, then newrole doesn't relabel anything,
and thus no new channels are introduced that didn't already exist.
So I don't see a problem here.
Tim can you submit this upstream and get approval there, Then we can consider
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
This fix is in U2 policy.