Bug 444898 - SE-Linux vs. pam
SE-Linux vs. pam
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-01 12:35 EDT by shiv
Modified: 2008-10-01 06:01 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.0.8-102.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-01 06:01:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description shiv 2008-05-01 12:35:49 EDT
Source Context:  system_u:system_r:pam_console_t:s0-s0:c0.c1023Target
Context:  system_u:object_r:cpu_device_t:s0Target Objects:  /dev/cpu/1/msr [
chr_file ]Source:  pam_console_appSource
Path:  /sbin/pam_console_applyPort:  <Unknown>Host:  sobolevSource RPM
Packages:  pam- RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-98.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost
Name:  sobolevPlatform:  Linux sobolev #1 SMP Sat Apr 19
11:18:09 EDT 2008 x86_64 x86_64Alert Count:  1First Seen:  Thu 01 May 2008
09:14:11 AM PDTLast Seen:  Thu 01 May 2008 09:14:11 AM PDTLocal
ID:  92a10298-10e8-495b-85ca-ea395388d8cdLine Numbers:  Raw Audit Messages
:host=sobolev type=AVC msg=audit(1209658451.363:39): avc: denied { getattr } for
pid=12959 comm="pam_console_app" path="/dev/cpu/1/msr" dev=tmpfs ino=122003
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file host=sobolev
type=SYSCALL msg=audit(1209658451.363:39): arch=c000003e syscall=4 success=no
exit=-13 a0=810540 a1=7fff01338d30 a2=7fff01338d30 a3=349a3529f0 items=0
ppid=12957 pid=12959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="pam_console_app" exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
Comment 1 shiv 2008-05-01 12:36:19 EDT
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/cpu/1/msr, restorecon -v
'/dev/cpu/1/msr' If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
Comment 2 Tomas Mraz 2008-05-01 14:43:17 EDT
pam_console_apply should be able to getattr cpu_device_t
Comment 3 Daniel Walsh 2008-05-05 13:43:01 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-102.fc8

Note You need to log in before you can comment on or make changes to this bug.