Bug 503130 - SELinux prevented groupadd/load_policy from using the terminal tty0
SELinux prevented groupadd/load_policy from using the terminal tty0
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-29 01:24 EDT by Allen Kistler
Modified: 2009-08-21 17:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 17:29:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-05-29 01:24:04 EDT
Description of problem:
Updating packages run embedded scripts that seem to need some additional type enforcement rules

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11.noarch

(a previous policy really generated the denials, but audit2why verifies this one would as well)

How reproducible:
Always (?)

Steps to Reproduce:
1. yum update for the affected packages (see below)
  
Actual results:
AVC denials (see below)

Expected results:
No AVC denials

Additional info:

node=ack607 type=AVC msg=audit(1243495986.517:11): avc:  denied  { read write } for  pid=1905 comm="groupadd" name="tty0" dev=tmpfs ino=434 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=ack607 type=AVC msg=audit(1243496054.634:14): avc:  denied  { read write } for  pid=2031 comm="load_policy" name="tty0" dev=tmpfs ino=434 scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

The above audit entries correspond to the following entries from messages.

May 28 02:33:08 localhost yum: Updated: initscripts-8.95-1.i586
May 28 02:33:09 localhost setroubleshoot: SELinux prevented groupadd from using the terminal tty0.
May 28 02:33:09 localhost kernel: udev: starting version 141
May 28 02:33:09 localhost yum: Updated: udev-141-3.fc11.i586

May 28 02:33:54 localhost yum: Updated: selinux-policy-3.6.12-39.fc11.noarch
May 28 02:34:15 localhost setroubleshoot: SELinux prevented load_policy from using the terminal tty0.
May 28 02:34:15 localhost dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
May 28 02:34:15 localhost dbus: Reloaded configuration
May 28 02:34:16 localhost yum: Updated: selinux-policy-targeted-3.6.12-39.fc11.noarch
Comment 1 Bug Zapper 2009-06-09 12:45:01 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Daniel Walsh 2009-08-21 17:29:17 EDT
Seems to be fixed in F11 release.

Note You need to log in before you can comment on or make changes to this bug.