Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 521390 - setroubleshoot: SELinux is preventing groupadd (groupadd_t) "read" console (console_device_t).
Summary: setroubleshoot: SELinux is preventing groupadd (groupadd_t) "read" conso...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:76ca7bd8c21...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-05 14:33 UTC by Nicolas Mailhot
Modified: 2009-09-09 21:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-09 21:20:31 UTC
Type: ---


Attachments (Terms of Use)

Description Nicolas Mailhot 2009-09-05 14:33:06 UTC
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing groupadd (groupadd_t) "read" console (console_device_t).

Description détaillée:

[groupadd has a permissive type (groupadd_t). This access was not denied.]

SELinux denied access requested by the groupadd command. It looks like this is
either a leaked descriptor or groupadd output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the console. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:console_device_t:s0
Objets du contexte            console [ chr_file ]
source                        groupadd
Chemin de la source           /usr/sbin/groupadd
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         shadow-utils-4.1.4.1-6.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.26-8.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.138.rc5.git3.fc12.x86_64
                              #1 SMP Thu Aug 6 16:59:15 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              sam. 05 sept. 2009 15:39:07 CEST
Dernière alerte              sam. 05 sept. 2009 15:39:32 CEST
ID local                      d17f5900-380a-402e-b3dc-009415cd21e8
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252157972.813:174): avc:  denied  { read } for  pid=14180 comm="groupadd" name="console" dev=tmpfs ino=1052 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1252157972.813:174): arch=c000003e syscall=59 success=yes exit=0 a0=981360 a1=9815a0 a2=97f0f0 a3=7fff84772e50 items=0 ppid=14179 pid=14180 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= groupadd_t ==============
allow groupadd_t console_device_t:chr_file read;

Comment 1 Daniel Walsh 2009-09-08 22:06:56 UTC
What were you doing when this happened?  Some app is leaking a connection to /dev/console.

Comment 2 Nicolas Mailhot 2009-09-09 06:12:00 UTC
I didn't create any user myself lately so it was probably done by a rpm package at install phase

Comment 3 Daniel Walsh 2009-09-09 21:20:31 UTC
Fixed in selinux-policy-3.6.31-2.fc12.noarch


Note You need to log in before you can comment on or make changes to this bug.