Bug 430505 - SELinux claims that /bin/su is daemon and it shouldn't use terminal
SELinux claims that /bin/su is daemon and it shouldn't use terminal
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-01-28 10:06 EST by Matěj Cepl
Modified: 2008-01-29 10:29 EST (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.2.5-20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-29 10:29:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-01-28 10:06:32 EST
Description of problem:


SELinux prevented su(/bin/su) from using the terminal <Unknown>.

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux prevented su(/bin/su) from using the terminal <Unknown>. In most cases
daemons do not need to interact with the terminal, usually these avc messages
can be ignored. All of the confined daemons should have dontaudit rules around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

The following command will allow this access:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                unconfined_u:system_r:initrc_su_t
Target Context                unconfined_u:object_r:unconfined_devpts_t
Target Objects                None [ chr_file ]
Source                        su(/bin/su)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_daemons_use_tty
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.24-0.167.rc8.git4.fc9 #1 SMP Tue Jan 22
                              22:53:00 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Po 28. leden 2008, 15:59:52 CET
Last Seen                     Po 28. leden 2008, 15:59:52 CET
Local ID                      2d0ea05c-c95f-4d35-ab88-55c89582f161
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201532392.74:888): avc:  denied  {
read write } for  pid=8907 comm="su" name="1" dev=devpts ino=3
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201532392.74:888):
arch=c000003e syscall=59 success=yes exit=0 a0=8d1e70 a1=8c8410 a2=8d39d0 a3=8
items=0 ppid=8894 pid=8907 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 comm="su" exe="/bin/su"
subj=unconfined_u:system_r:initrc_su_t:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:
not sure (happened couple of times in the last couple of minutes)

Steps to Reproduce:
1.not sure -- sealert happened and all information I have is what you see above
Actual results:
SELinux alert happened

Expected results:
it shouldn't

Additional info:
Actually I haven't use /bin/su directly (I use sudo all the time), so it had to
be some script or something doing this. The last two things I did was
reinstalling and chkconfig-on setroubleshootd and yum-updatesd.
Comment 1 Daniel Walsh 2008-01-28 11:22:33 EST
Fixed in selinux-policy-3.2.5-20
Comment 2 Ondrej Vasik 2008-01-29 10:29:51 EST
Confirmed fixed via IRC ... closing RAWHIDE

Note You need to log in before you can comment on or make changes to this bug.