Bug 504719 - /dev/pts/ptmx created with improper SELinux context....
Summary: /dev/pts/ptmx created with improper SELinux context....
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-09 00:06 UTC by Tom London
Modified: 2011-10-12 17:50 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-12 17:50:44 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tom London 2009-06-09 00:06:16 UTC
Description of problem:
On rawhide:

[root@tlondon etc]# restorecon -v -R -n /dev
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0
[root@tlondon etc]# 



Version-Release number of selected component (if applicable):
MAKEDEV-3.24-3.x86_64

How reproducible:
every time.....

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Bug Zapper 2009-06-09 17:14:08 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Chris Lumens 2009-11-11 20:31:31 UTC
I'm not seeing this with the same version of MAKEDEV.  I believe the problem existed in selinux-policy-targeted, though, and that has since been updated.  If you are still experiencing problems with the latest policy packages installed, feel free to reopen this bug report.

Comment 3 Jerry James 2011-07-11 15:05:15 UTC
I'm seeing this on a real box (x86_64) running Fedora 15, as well as on two virtual machines (i686 and x86_64) running Rawhide.  On Fedora 15, I have:

kernel-2.6.38.8-32.fc15.x86_64
MAKEDEV-3.24-9.fc15.x86_64
selinux-policy-targeted-3.9.16-32.fc15.noarch

and the Rawhide machines are updated daily.

Comment 4 Daniel Walsh 2011-07-11 22:12:08 UTC
Jerry how are you getting this to happen?

Comment 5 Jerry James 2011-07-12 15:48:17 UTC
I have no idea.  After booting my machines, I see the incorrect label.  I have the following machines:
1. Host: x86_64.  Originally installed F-14 on it, then upgraded it to F-15 using the DVD.
2. Guest 1: x86_64.  Originally installed F-15 Beta, then upgraded it to Rawhide with yum + package-cleanup when F-15 was released.
3. Guest 2: i686.  Otherwise identical to guest 1.

All 3 machines are updated with yum each weekday.  I need to check whether this happens on my home machine, which was a clean install of F-15 (x86_64).  I'll try to remember to do that tonight.

Comment 6 Daniel Walsh 2011-07-12 18:18:13 UTC
Ok I see this on my machine also running rawhide.

Comment 7 Daniel Walsh 2011-07-12 19:05:34 UTC
I think this might be a kernel issue, if the kernel is creating the device.

Comment 8 Daniel Walsh 2011-07-12 19:12:00 UTC
Eric ptmx gets created with the /dev/pts file system is mounted.  The problem is the device gets created with the wrong label.

ptmx
 kernel_t device_t :chr_file ptmx_t
ptmx
 kernel_t devpts_t :chr_file ptmx_t
ptmx
 sysadm_t device_t :chr_file ptmx_t
ptmx
 sysadm_t devpts_t :chr_file ptmx_t
ptmx
 unconfined_t device_t :chr_file ptmx_t
ptmx
 unconfined_t devpts_t :chr_file ptmx_t

Is written in policy.

Comment 9 Jerry James 2011-10-06 17:35:39 UTC
Since a few days ago, restorecon in Rawhide thinks that /dev/pts/ptmx should have type devpts_t.  Is that right?  The ptmx_t definition is still in /usr/share/selinux/devel/include/kernel/terminal.if.

In any case, I still see the wrong label on my F-15 host machine on bootup.

Comment 10 Daniel Walsh 2011-10-07 14:17:59 UTC
Yes we have changed it to devpts_t since we can not seem to get it to be labeled as ptmx_t, and we are not even sure it should be.

Have not back ported this fix to F15. But it really does not matter.  Since nothing should be being denied.

Comment 11 Daniel Walsh 2011-10-12 17:50:44 UTC
Fixed in the current release of selinux-policy on F16/F17


Note You need to log in before you can comment on or make changes to this bug.