Bug 569662 - SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/tty3 file descriptor.
Summary: SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/t...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e580658c612...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-02 00:00 UTC by Tommy He
Modified: 2010-04-28 11:46 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-03-10 06:48:34 UTC


Attachments (Terms of Use)

Description Tommy He 2010-03-02 00:00:43 UTC
概述:

SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/tty3
file descriptor.

详细描述:

[abrt-hook-pytho 有一个宽容类型
(abrt_helper_t)。此访问未受拒绝。]

SELinux denied access requested by the abrt-hook-pytho command. It looks like
this is either a leaked descriptor or abrt-hook-pytho output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /dev/tty3. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

允许访问:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

附加信息:

源上下文                  unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
目标上下文               system_u:object_r:tty_device_t:s0
目标对象                  /dev/tty3 [ chr_file ]
源                           abrt-hook-pytho
源路径                     /usr/libexec/abrt-hook-python
端口                        <未知>
主机                        (removed)
源 RPM 软件包             abrt-addon-python-1.0.8-1.fc13
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.7.10-3.fc13
启用 Selinux                True
策略类型                  targeted
Enforcing 模式              Enforcing
插件名称                  leaks
主机名                     (removed)
平台                        Linux (removed)
                              2.6.33-0.52.rc8.git6.fc13.i686 #1 SMP Tue Feb 23
                              05:11:28 UTC 2010 i686 i686
警报计数                  4
第一个                     2010年03月01日 星期一 23时58分16秒
最后一个                  2010年03月02日 星期二 00时00分01秒
本地 ID                     de6946e5-90b8-49b8-806a-9aa7c25c0985
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1267506001.446:29461): avc:  denied  { append } for  pid=3819 comm="abrt-hook-pytho" path="/dev/tty3" dev=devtmpfs ino=5506 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1267506001.446:29461): arch=40000003 syscall=11 success=yes exit=0 a0=8de3640 a1=8bff330 a2=bf826840 a3=3 items=0 ppid=3818 pid=3819 auid=500 uid=0 gid=0 euid=497 suid=497 fsuid=497 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="abrt-hook-pytho" exe="/usr/libexec/abrt-hook-python" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,abrt-hook-pytho,abrt_helper_t,tty_device_t,chr_file,append
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t tty_device_t:chr_file append;

Comment 1 Daniel Walsh 2010-03-02 13:29:53 UTC
Miroslav,

Can you add

term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
to F12


Fixed in selinux-policy-3.7.10-6.fc13.noarch

Comment 2 Tommy He 2010-03-02 16:43:37 UTC
Sorry, but Why F12?

It was detected on F13 Alpha LiveCD Gnome Spin when I was trying to launch anaconda.

Comment 3 Daniel Walsh 2010-03-02 16:51:40 UTC
Because it will eventually show up in F12 and RHEL6.

Comment 4 Fedora Update System 2010-03-04 18:46:48 UTC
selinux-policy-3.7.11-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13

Comment 5 Fedora Update System 2010-03-05 03:34:39 UTC
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13

Comment 6 Fedora Update System 2010-03-10 06:48:08 UTC
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.