Bug 444898 - SE-Linux vs. pam
Summary: SE-Linux vs. pam
Alias: None
Product: Fedora
Classification: Fedora
Component: pam   
(Show other bugs)
Version: 8
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-05-01 16:35 UTC by shiv
Modified: 2008-10-01 10:01 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.0.8-102.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-01 10:01:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description shiv 2008-05-01 16:35:49 UTC
Source Context:  system_u:system_r:pam_console_t:s0-s0:c0.c1023Target
Context:  system_u:object_r:cpu_device_t:s0Target Objects:  /dev/cpu/1/msr [
chr_file ]Source:  pam_console_appSource
Path:  /sbin/pam_console_applyPort:  <Unknown>Host:  sobolevSource RPM
Packages:  pam- RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-98.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost
Name:  sobolevPlatform:  Linux sobolev #1 SMP Sat Apr 19
11:18:09 EDT 2008 x86_64 x86_64Alert Count:  1First Seen:  Thu 01 May 2008
09:14:11 AM PDTLast Seen:  Thu 01 May 2008 09:14:11 AM PDTLocal
ID:  92a10298-10e8-495b-85ca-ea395388d8cdLine Numbers:  Raw Audit Messages
:host=sobolev type=AVC msg=audit(1209658451.363:39): avc: denied { getattr } for
pid=12959 comm="pam_console_app" path="/dev/cpu/1/msr" dev=tmpfs ino=122003
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file host=sobolev
type=SYSCALL msg=audit(1209658451.363:39): arch=c000003e syscall=4 success=no
exit=-13 a0=810540 a1=7fff01338d30 a2=7fff01338d30 a3=349a3529f0 items=0
ppid=12957 pid=12959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="pam_console_app" exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)

Comment 1 shiv 2008-05-01 16:36:19 UTC
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/cpu/1/msr, restorecon -v
'/dev/cpu/1/msr' If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this

Comment 2 Tomas Mraz 2008-05-01 18:43:17 UTC
pam_console_apply should be able to getattr cpu_device_t

Comment 3 Daniel Walsh 2008-05-05 17:43:01 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-102.fc8

Note You need to log in before you can comment on or make changes to this bug.