Bug 495197 - (staff_u) SELinux prevented ekiga from using the terminal /dev/pts/ptmx.
(staff_u) SELinux prevented ekiga from using the terminal /dev/pts/ptmx.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-10 05:34 EDT by Matěj Cepl
Modified: 2009-11-18 08:09 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:09:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2009-04-10 05:34:27 EDT
Souhrn:

SELinux prevented ekiga from using the terminal /dev/pts/ptmx.

Podrobný popis:

SELinux prevented ekiga from using the terminal /dev/pts/ptmx. In most cases
daemons do not need to interact with the terminal, usually these avc messages
can be ignored. All of the confined daemons should have dontaudit rules around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Povolení přístupu:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Příkaz pro opravu:

setsebool -P allow_daemons_use_tty=1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:devpts_t:s0
Objekty cíle                 /dev/pts/ptmx [ chr_file ]
Zdroj                         pvs
Cesta zdroje                  /sbin/lvm
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          ekiga-3.2.0-1.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-2.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     allow_daemons_use_tty
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-54.fc11.x86_64 #1
                              SMP Tue Apr 7 05:26:42 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Čt 9. duben 2009, 01:34:51 CEST
Naposledy viděno             Pá 10. duben 2009, 11:32:20 CEST
Místní ID                   f06c8329-673d-41dc-b77b-a1b0734c0ff0
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1239355940.526:77): avc:  denied  { getattr } for  pid=15235 comm="ekiga" path="/dev/pts/ptmx" dev=devpts ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1239355940.526:77): arch=c000003e syscall=6 success=no exit=1096433624 a0=cbf260 a1=7fff32595e70 a2=7fff32595e70 a3=7fff32595d80 items=0 ppid=15184 pid=15235 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="ekiga" exe="/usr/bin/ekiga" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-04-11 08:05:33 EDT
THis is a labeling problem. 

/dev/pts/ptmx should be labeled ptmx_t  I guess it moved from /dev to /dev/pts.

Miroslav can you fix the labeling in F10?

In terminal.fc
/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)

Fixed in selinux-policy-3.6.12-3.fc11.noarch
Comment 2 Matěj Cepl 2009-05-12 05:11:14 EDT
I guess this is still not OK:

[matej@viklef ~]$ sudo restorecon -v -R /dev/
[matej@viklef ~]$ ls -lZ /dev/pt*
crw-rw-rw-. root tty  system_u:object_r:ptmx_t:s0      /dev/ptmx

/dev/pts:
c---------. root  root system_u:object_r:ptmx_t:s0      ptmx
crw--w----. matej tty  staff_u:object_r:user_devpts_t:s0 0
crw--w----. root  tty  system_u:object_r:devpts_t:s0:c356,c361 2
crw--w----. root  tty  system_u:object_r:devpts_t:s0:c356,c361 3
[matej@viklef ~]$ 

getting AVC denials:


Souhrn:

SELinux prevented ekiga from using the terminal /dev/pts/3.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux prevented ekiga from using the terminal /dev/pts/3. In most cases
daemons do not need to interact with the terminal, usually these avc messages
can be ignored. All of the confined daemons should have dontaudit rules around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Povolení přístupu:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Příkaz pro opravu:

setsebool -P allow_daemons_use_tty=1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:devpts_t:s0:c356,c361
Objekty cíle                 /dev/pts/3 [ chr_file ]
Zdroj                         ekiga
Cesta zdroje                  /usr/bin/ekiga
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          ekiga-3.2.0-2.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-34.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     allow_daemons_use_tty
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.2-126.fc11.x86_64
                              #1 SMP Mon May 4 04:46:15 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Út 12. květen 2009, 11:08:23 CEST
Naposledy viděno             Út 12. květen 2009, 11:08:23 CEST
Místní ID                   e5d46534-715f-4165-a686-4f7c250c6a0c
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1242119303.41:69): avc:  denied  { getattr } for  pid=6142 comm="ekiga" path="/dev/pts/3" dev=devpts ino=6 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0:c356,c361 tclass=chr_file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1242119303.41:69): arch=c000003e syscall=6 success=no exit=255754200 a0=2b004f0 a1=7fff9c2fa410 a2=7fff9c2fa410 a3=7fff9c2fa320 items=0 ppid=5622 pid=6142 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="ekiga" exe="/usr/bin/ekiga" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 3 Peter Robinson 2009-05-12 05:20:24 EDT
Reassigning to selinux
Comment 4 Daniel Walsh 2009-05-12 08:31:57 EDT
Looks like those devpts are created by svirt.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-35.fc11.noarch
Comment 5 Bug Zapper 2009-06-09 09:36:06 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.