Red Hat Bugzilla – Bug 473042
(staff_u) SELinux prevented bash from using the terminal /dev/pts/0.
Last modified: 2018-04-11 08:40:41 EDT
???? since when is bash a daemon? Souhrn: SELinux prevented bash from using the terminal /dev/pts/0. Podrobný popis: SELinux prevented bash from using the terminal /dev/pts/0. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Povolení přístupu: Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." Příkaz pro opravu: setsebool -P allow_daemons_use_tty=1 Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle staff_u:object_r:unconfined_devpts_t Objekty cíle /dev/pts/0 [ chr_file ] Zdroj bash Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-26.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu allow_daemons_use_tty Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 8 Poprvé viděno St 26. listopad 2008, 09:57:55 CET Naposledy viděno St 26. listopad 2008, 09:57:55 CET Místní ID defbee82-0d05-44be-81a8-56ca76ce1e86 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227689875.283:90): avc: denied { write } for pid=6419 comm="bash" path="/dev/pts/0" dev=devpts ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:unconfined_devpts_t:s0 tclass=chr_file node=viklef type=SYSCALL msg=audit(1227689875.283:90): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=b806f000 a2=5 a3=5 items=0 ppid=6416 pid=6419 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
You have a terminal labeled unconfined_devpts_t which must have been labeled for a unconfined domain, Are you running an unconfined_t process as root? And for some reason staff_t is trying to write to this terminal. How did you get this to happen?
It happens when running sudo -i.
I can not recreate.
[matej@viklef vimfiles]$ ls -lZ /dev/pts/* crw--w---- matej tty staff_u:object_r:staff_devpts_t /dev/pts/0 crw--w---- matej tty staff_u:object_r:staff_devpts_t /dev/pts/1 [matej@viklef vimfiles]$ getfacl /dev/pts/* getfacl: Removing leading '/' from absolute path names # file: dev/pts/0 # owner: matej # group: tty user::rw- group::-w- other::--- # file: dev/pts/1 # owner: matej # group: tty user::rw- group::-w- other::--- [matej@viklef vimfiles]$ This looks all right, doesn't it? Or is there some swinging of ownership done by ConsoleKit and its likes which makes SELinux unhappy?
When you execute sudo -i it changes the label of the terminal from staff_devpts_t to unconfined_devpts_t. So something still running as staff_t tries to write to the terminal after the sudo, which is causing the AVC. Thankfully this goes away in F11.
Patch may need updating for bash 4.0 ?
There is not much we can do until the next release. If you have a process with an open connection to the terminal as staff_t Then you run sudo to change to unconfined_t, This relabels the terminal, now if the original staff_t writes to the terminal it will generate an AVC. This type of isolation might be justifiable, but they are rather tough to explain to a user. This has been removed in F11 so I am closing until then.