444898 – SE-Linux vs. pam

Bug 444898 - SE-Linux vs. pam

Summary: SE-Linux vs. pam

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	8
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-01 16:35 UTC by shiv
Modified:	2008-10-01 10:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.0.8-102.fc8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-10-01 10:01:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description shiv 2008-05-01 16:35:49 UTC

Source Context:  system_u:system_r:pam_console_t:s0-s0:c0.c1023Target
Context:  system_u:object_r:cpu_device_t:s0Target Objects:  /dev/cpu/1/msr [
chr_file ]Source:  pam_console_appSource
Path:  /sbin/pam_console_applyPort:  <Unknown>Host:  sobolevSource RPM
Packages:  pam-0.99.8.1-17.1.fc8Target RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-98.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost
Name:  sobolevPlatform:  Linux sobolev 2.6.24.5-85.fc8 #1 SMP Sat Apr 19
11:18:09 EDT 2008 x86_64 x86_64Alert Count:  1First Seen:  Thu 01 May 2008
09:14:11 AM PDTLast Seen:  Thu 01 May 2008 09:14:11 AM PDTLocal
ID:  92a10298-10e8-495b-85ca-ea395388d8cdLine Numbers:  Raw Audit Messages
:host=sobolev type=AVC msg=audit(1209658451.363:39): avc: denied { getattr } for
pid=12959 comm="pam_console_app" path="/dev/cpu/1/msr" dev=tmpfs ino=122003
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file host=sobolev
type=SYSCALL msg=audit(1209658451.363:39): arch=c000003e syscall=4 success=no
exit=-13 a0=810540 a1=7fff01338d30 a2=7fff01338d30 a3=349a3529f0 items=0
ppid=12957 pid=12959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="pam_console_app" exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)

Comment 1 shiv 2008-05-01 16:36:19 UTC

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/cpu/1/msr, restorecon -v
'/dev/cpu/1/msr' If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
package.

Comment 2 Tomas Mraz 2008-05-01 18:43:17 UTC

pam_console_apply should be able to getattr cpu_device_t

Comment 3 Daniel Walsh 2008-05-05 17:43:01 UTC

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-102.fc8

Note You need to log in before you can comment on or make changes to this bug.