概述: SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/tty3 file descriptor. 详细描述: [abrt-hook-pytho 有一个宽容类型 (abrt_helper_t)。此访问未受拒绝。] SELinux denied access requested by the abrt-hook-pytho command. It looks like this is either a leaked descriptor or abrt-hook-pytho output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /dev/tty3. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. 允许访问: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) 附加信息: 源上下文 unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 目标上下文 system_u:object_r:tty_device_t:s0 目标对象 /dev/tty3 [ chr_file ] 源 abrt-hook-pytho 源路径 /usr/libexec/abrt-hook-python 端口 <未知> 主机 (removed) 源 RPM 软件包 abrt-addon-python-1.0.8-1.fc13 目标 RPM 软件包 策略 RPM selinux-policy-3.7.10-3.fc13 启用 Selinux True 策略类型 targeted Enforcing 模式 Enforcing 插件名称 leaks 主机名 (removed) 平台 Linux (removed) 2.6.33-0.52.rc8.git6.fc13.i686 #1 SMP Tue Feb 23 05:11:28 UTC 2010 i686 i686 警报计数 4 第一个 2010年03月01日 星期一 23时58分16秒 最后一个 2010年03月02日 星期二 00时00分01秒 本地 ID de6946e5-90b8-49b8-806a-9aa7c25c0985 行号 原始核查信息 node=(removed) type=AVC msg=audit(1267506001.446:29461): avc: denied { append } for pid=3819 comm="abrt-hook-pytho" path="/dev/tty3" dev=devtmpfs ino=5506 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1267506001.446:29461): arch=40000003 syscall=11 success=yes exit=0 a0=8de3640 a1=8bff330 a2=bf826840 a3=3 items=0 ppid=3818 pid=3819 auid=500 uid=0 gid=0 euid=497 suid=497 fsuid=497 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="abrt-hook-pytho" exe="/usr/libexec/abrt-hook-python" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,abrt-hook-pytho,abrt_helper_t,tty_device_t,chr_file,append audit2allow suggests: #============= abrt_helper_t ============== allow abrt_helper_t tty_device_t:chr_file append;
Miroslav, Can you add term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) to F12 Fixed in selinux-policy-3.7.10-6.fc13.noarch
Sorry, but Why F12? It was detected on F13 Alpha LiveCD Gnome Spin when I was trying to launch anaconda.
Because it will eventually show up in F12 and RHEL6.
selinux-policy-3.7.11-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.