Bug 456977 - SELinux has denied the pam_console_app (pam_console_t) "getattr" access to device /dev/hdc. /dev/hdc is mislabeled
SELinux has denied the pam_console_app (pam_console_t) "getattr" access to de...
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: smartmontools (Show other bugs)
5.2
All Linux
low Severity medium
: rc
: ---
Assigned To: Michal Hlavinka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-28 21:09 EDT by Xin Dao
Modified: 2009-06-09 10:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-09 10:06:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xin Dao 2008-07-28 21:09:05 EDT
Description of problem:

I am newbie to Linux, and after installed other rpms that's require for
NDISwrapper, I got "AVC denial" message from SELinux.  And it asked me to report
the bug.  I copied the message I got from SELinux below 

Version-Release number of selected component (if applicable):


Additional info:


Summary:

SELinux is preventing pam_console_app (pam_console_t) "getattr" access to device
/dev/hdc.

Detailed Description:

SELinux has denied the pam_console_app (pam_console_t) "getattr" access to
device /dev/hdc. /dev/hdc is mislabeled, this device has the default label of
the /dev directory, which should not happen. All Character and/or Block Devices
should have a label. You can attempt to change the label of the file using
restorecon -v '/dev/hdc'. If this device remains labeled device_t, then this is
a bug in SELinux policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR,
and find a type that would work for /dev/hdc, you can use chcon -t SIMILAR_TYPE
'/dev/hdc', If this fixes the problem, you can make this permanent by executing
semanage fcontext -a -t SIMILAR_TYPE '/dev/hdc' If the restorecon changes the
context, this indicates that the application that created the device, created it
without using SELinux APIs. If you can figure out which application created the
device, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application.

Allowing Access:

Attempt restorecon -v '/dev/hdc' or chcon -t SIMILAR_TYPE '/dev/hdc'

Additional Information:

Source Context                system_u:system_r:pam_console_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:device_t
Target Objects                /dev/hdc [ blk_file ]
Source                        pam_console_app
Source Path                   /sbin/pam_console_apply
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           pam-0.99.6.2-3.27.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-92.1.6.el5 #1
                              SMP Wed Jun 25 13:49:24 EDT 2008 i686 i686
Alert Count                   46
First Seen                    Mon 28 Jul 2008 10:54:20 AM PDT
Last Seen                     Mon 28 Jul 2008 10:54:33 AM PDT
Local ID                      7a2a2a6a-0bba-44fa-9145-6667183aa8fe
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1217267673.429:218): avc:  denied
 { getattr } for  pid=1222 comm="pam_console_app" path="/dev/hdc" dev=tmpfs
ino=4636 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

host=localhost.localdomain type=SYSCALL msg=audit(1217267673.429:218):
arch=40000003 syscall=195 success=no exit=-13 a0=bfb4e1f0 a1=bfb4e21c a2=7c6ff4
a3=4 items=0 ppid=867 pid=1222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pam_console_app"
exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-07-29 14:56:58 EDT
/dev/hdc is labeled incorrectly this is probably a bug in raid tools.  

restorecon -R /dev/hd*

Should fix.
Comment 2 Daniel Walsh 2008-10-10 16:51:31 EDT
Smartmon created the disks with the wrong context.
Comment 3 Michal Hlavinka 2009-01-26 10:58:15 EST
can you still reproduce this after 5.3 update?
Comment 4 Michal Hlavinka 2009-05-18 10:42:48 EDT
This bug has needinfo state without any reply for almost five months, it will be closed next week.
Comment 5 Michal Hlavinka 2009-06-09 10:06:31 EDT
no reply for more than five months, I'm closing this bug. Feel free to reopen this if you can still reproduce this problem.

Note You need to log in before you can comment on or make changes to this bug.