Bug 473042 - (staff_u) SELinux prevented bash from using the terminal /dev/pts/0.
Summary: (staff_u) SELinux prevented bash from using the terminal /dev/pts/0.
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: bash
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Roman Rakus
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-26 09:02 UTC by Matěj Cepl
Modified: 2018-04-11 12:40 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-03-03 20:38:25 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-11-26 09:02:02 UTC
???? since when is bash a daemon?


Souhrn:

SELinux prevented bash from using the terminal /dev/pts/0.

Podrobný popis:

SELinux prevented bash from using the terminal /dev/pts/0. In most cases daemons
do not need to interact with the terminal, usually these avc messages can be
ignored. All of the confined daemons should have dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Povolení přístupu:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Příkaz pro opravu:

setsebool -P allow_daemons_use_tty=1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:object_r:unconfined_devpts_t
Objekty cíle                 /dev/pts/0 [ chr_file ]
Zdroj                         bash
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-26.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     allow_daemons_use_tty
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           8
Poprvé viděno               St 26. listopad 2008, 09:57:55 CET
Naposledy viděno             St 26. listopad 2008, 09:57:55 CET
Místní ID                   defbee82-0d05-44be-81a8-56ca76ce1e86
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227689875.283:90): avc:  denied  { write } for  pid=6419 comm="bash" path="/dev/pts/0" dev=devpts ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:unconfined_devpts_t:s0 tclass=chr_file

node=viklef type=SYSCALL msg=audit(1227689875.283:90): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=b806f000 a2=5 a3=5 items=0 ppid=6416 pid=6419 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-11-27 12:03:08 UTC
You have a terminal labeled unconfined_devpts_t which must have been labeled for  a unconfined domain,  Are you running an unconfined_t process as root?  And for some reason staff_t is trying to write to this terminal.

How did you get this to happen?

Comment 2 Matěj Cepl 2008-11-27 13:28:30 UTC
It happens when running sudo -i.

Comment 3 Daniel Walsh 2008-12-01 21:49:46 UTC
I can not recreate.

Comment 4 Matěj Cepl 2008-12-01 22:46:12 UTC
[matej@viklef vimfiles]$ ls -lZ /dev/pts/*
crw--w----  matej tty staff_u:object_r:staff_devpts_t  /dev/pts/0
crw--w----  matej tty staff_u:object_r:staff_devpts_t  /dev/pts/1
[matej@viklef vimfiles]$ getfacl  /dev/pts/*
getfacl: Removing leading '/' from absolute path names
# file: dev/pts/0
# owner: matej
# group: tty
user::rw-
group::-w-
other::---

# file: dev/pts/1
# owner: matej
# group: tty
user::rw-
group::-w-
other::---

[matej@viklef vimfiles]$ 

This looks all right, doesn't it? Or is there some swinging of ownership done by ConsoleKit and its likes which makes SELinux unhappy?

Comment 5 Daniel Walsh 2008-12-02 16:00:21 UTC
When you execute sudo -i it changes the label of the terminal from staff_devpts_t to unconfined_devpts_t.  So something still running as staff_t tries to write to the terminal after the sudo, which is causing the AVC.  Thankfully this goes away in F11.

Comment 6 lexual 2009-03-01 08:27:21 UTC
Patch may need updating for bash 4.0 ?

Comment 7 Daniel Walsh 2009-03-03 20:38:25 UTC
There is not much we can do until the next release.

If you have a process with an open connection to the terminal as staff_t Then you run sudo to change to unconfined_t, This relabels the terminal, now if the original staff_t writes to the terminal it will generate an AVC.

This type of isolation might be justifiable, but they are rather tough to explain to a user.  This has been removed in F11 so I am closing until then.


Note You need to log in before you can comment on or make changes to this bug.