Résumé: SELinux is preventing /usr/bin/chsh "open" access on /var/run/utmp. Description détaillée: [SELinux est en mode permissif. Cet accès n'a pas été refusé.] SELinux denied access requested by chsh. It is not expected that this access is required by chsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Informations complémentaires: Contexte source unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 Contexte cible system_u:object_r:initrc_var_run_t:s0 Objets du contexte /var/run/utmp [ file ] source chsh Chemin de la source /usr/bin/chsh Port <Inconnu> Hôte (removed) Paquetages RPM source util-linux-ng-2.16.2-7.fc12 Paquetages RPM cible initscripts-9.02.1-1 Politique RPM selinux-policy-3.6.32-99.fc12 Selinux activé True Type de politique targeted Mode strict Permissive Nom du plugin catchall Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686 Compteur d'alertes 1 Première alerte ven 19 mar 2010 10:13:43 CET Dernière alerte ven 19 mar 2010 10:13:43 CET ID local 9b460434-f400-4453-b04f-61cbe2c68b28 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1268990023.41:23436): avc: denied { open } for pid=7421 comm="chsh" name="utmp" dev=dm-0 ino=235 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1268990023.41:23436): arch=40000003 syscall=5 success=yes exit=3 a0=249cb5 a1=88000 a2=e2592c a3=249cbb items=0 ppid=29303 pid=7421 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts3 ses=1 comm="chsh" exe="/usr/bin/chsh" subj=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,chsh,chfn_t,initrc_var_run_t,file,open audit2allow suggests: #============= chfn_t ============== allow chfn_t initrc_var_run_t:file open;
I also submitted the SELinux alert I got with "lock" on /var/run/utmp. https://bugzilla.redhat.com/show_bug.cgi?id=575051
*** Bug 575051 has been marked as a duplicate of this bug. ***
Miroslav Make this change interface(`init_dontaudit_rw_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file rw_file_perms; ')
Fixed in selinux-policy-3.6.32-105.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.