Bug 504719 - /dev/pts/ptmx created with improper SELinux context....
/dev/pts/ptmx created with improper SELinux context....
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2009-06-08 20:06 EDT by Tom London
Modified: 2011-10-12 13:50 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-10-12 13:50:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom London 2009-06-08 20:06:16 EDT
Description of problem:
On rawhide:

[root@tlondon etc]# restorecon -v -R -n /dev
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0
[root@tlondon etc]# 

Version-Release number of selected component (if applicable):

How reproducible:
every time.....

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Bug Zapper 2009-06-09 13:14:08 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 2 Chris Lumens 2009-11-11 15:31:31 EST
I'm not seeing this with the same version of MAKEDEV.  I believe the problem existed in selinux-policy-targeted, though, and that has since been updated.  If you are still experiencing problems with the latest policy packages installed, feel free to reopen this bug report.
Comment 3 Jerry James 2011-07-11 11:05:15 EDT
I'm seeing this on a real box (x86_64) running Fedora 15, as well as on two virtual machines (i686 and x86_64) running Rawhide.  On Fedora 15, I have:


and the Rawhide machines are updated daily.
Comment 4 Daniel Walsh 2011-07-11 18:12:08 EDT
Jerry how are you getting this to happen?
Comment 5 Jerry James 2011-07-12 11:48:17 EDT
I have no idea.  After booting my machines, I see the incorrect label.  I have the following machines:
1. Host: x86_64.  Originally installed F-14 on it, then upgraded it to F-15 using the DVD.
2. Guest 1: x86_64.  Originally installed F-15 Beta, then upgraded it to Rawhide with yum + package-cleanup when F-15 was released.
3. Guest 2: i686.  Otherwise identical to guest 1.

All 3 machines are updated with yum each weekday.  I need to check whether this happens on my home machine, which was a clean install of F-15 (x86_64).  I'll try to remember to do that tonight.
Comment 6 Daniel Walsh 2011-07-12 14:18:13 EDT
Ok I see this on my machine also running rawhide.
Comment 7 Daniel Walsh 2011-07-12 15:05:34 EDT
I think this might be a kernel issue, if the kernel is creating the device.
Comment 8 Daniel Walsh 2011-07-12 15:12:00 EDT
Eric ptmx gets created with the /dev/pts file system is mounted.  The problem is the device gets created with the wrong label.

 kernel_t device_t :chr_file ptmx_t
 kernel_t devpts_t :chr_file ptmx_t
 sysadm_t device_t :chr_file ptmx_t
 sysadm_t devpts_t :chr_file ptmx_t
 unconfined_t device_t :chr_file ptmx_t
 unconfined_t devpts_t :chr_file ptmx_t

Is written in policy.
Comment 9 Jerry James 2011-10-06 13:35:39 EDT
Since a few days ago, restorecon in Rawhide thinks that /dev/pts/ptmx should have type devpts_t.  Is that right?  The ptmx_t definition is still in /usr/share/selinux/devel/include/kernel/terminal.if.

In any case, I still see the wrong label on my F-15 host machine on bootup.
Comment 10 Daniel Walsh 2011-10-07 10:17:59 EDT
Yes we have changed it to devpts_t since we can not seem to get it to be labeled as ptmx_t, and we are not even sure it should be.

Have not back ported this fix to F15. But it really does not matter.  Since nothing should be being denied.
Comment 11 Daniel Walsh 2011-10-12 13:50:44 EDT
Fixed in the current release of selinux-policy on F16/F17

Note You need to log in before you can comment on or make changes to this bug.