Bug 432007 - SELinux warning
Summary: SELinux warning
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-08 12:27 UTC by Wayne Price
Modified: 2008-11-17 22:03 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:03:00 UTC


Attachments (Terms of Use)

Description Wayne Price 2008-02-08 12:27:55 UTC
Description of problem:
setroubleshoot browser gave warning, and suggested filing as a bug report.
Problem occurred by 'chsh' to '/bin/tcsh' for the logged in user.



Summary
SELinux prevented /sbin/unix_update from using the terminal .

Detailed Description
SELinux prevented /sbin/unix_update from using the terminal . In most cases
daemons do not need to interact with the terminal, usually these avc messages
can be ignored. All of the confined daemons should have dontaudit rules around
using the terminal. Please file a bug report against this selinux-policy. If you
would like to allow all daemons to interact with the terminal, you can turn on
the allow_daemons_use_tty boolean.

Allowing Access
Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1.
"The following command will allow this access:setsebool -P allow_daemons_use_tty=1

Additional Information

Source Context:  system_u:system_r:updpwd_t:s0
Target Context:  system_u:object_r:unconfined_devpts_t:s0
Target Objects:  None [ chr_file ]
Affected RPM Packages:  pam-0.99.8.1-10.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-81.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.allow_daemons_use_tty
Host Name:  falcon.miramar
Platform:  Linux falcon.miramar 2.6.23.14-115.fc8 #1 SMP Mon Jan 21 14:22:56 EST
2008 x86_64 x86_64
Alert Count:  1
First Seen:  Fri 08 Feb 2008 12:20:32 PM GMT
Last Seen:  Fri 08 Feb 2008 12:20:32 PM GMT
Local ID:  b6bb1c39-d8c6-47ad-817b-f0cfa70877e8
Line Numbers:  
Raw Audit Messages 
:avc: denied { read write } for comm=unix_update dev=devpts egid=500 euid=0
exe=/sbin/unix_update exit=0 fsgid=500 fsuid=0 gid=500 items=0 name=2 pid=3370
scontext=system_u:system_r:updpwd_t:s0 sgid=500
subj=system_u:system_r:updpwd_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:unconfined_devpts_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2008-02-08 15:49:32 UTC
You can ignore this for now, it will be dontaudit'd in the next release.

Fixed in selinux-policy-3.0.8-84.fc8

Comment 2 Daniel Walsh 2008-11-17 22:03:00 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.