Bug 681548 - SELinux is preventing /sbin/mingetty "setattr" access on tty2.
Summary: SELinux is preventing /sbin/mingetty "setattr" access on tty2.
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard: setroubleshoot_trace_hash:6580d63395f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-02 14:46 UTC by Red Hat Case Diagnostics
Modified: 2018-11-14 14:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-11 15:24:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Red Hat Case Diagnostics 2011-03-02 14:46:06 UTC
Summary:

SELinux is preventing /sbin/mingetty "setattr" access on tty2.

Detailed Description:

SELinux denied access requested by mingetty. It is not expected that this access
is required by mingetty and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:sysadm_t:s0
Target Context                system_u:object_r:tty_device_t:s0
Target Objects                tty2 [ chr_file ]
Source                        mingetty
Source Path                   /sbin/mingetty
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mingetty-1.08-4.1.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32-71.14.1.el6.x86_64 #1 SMP Wed Jan 5
                              17:01:01 EST 2011 x86_64 x86_64
Alert Count                   27
First Seen                    Wed 02 Mar 2011 09:33:02 AM EST
Last Seen                     Wed 02 Mar 2011 09:35:13 AM EST
Local ID                      9a5ddf43-7d20-4afd-afd0-7c4012b45b7a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1299076513.198:38818): avc:  denied  { setattr } for  pid=15635 comm="mingetty" name="tty2" dev=devtmpfs ino=5067 scontext=system_u:system_r:sysadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1299076513.198:38818): arch=c000003e syscall=92 success=no exit=-13 a0=7fff006fba40 a1=0 a2=0 a3=8 items=0 ppid=1 pid=15635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mingetty" exe="/sbin/mingetty" subj=system_u:system_r:sysadm_t:s0 key=(null)



Hash String generated from  catchall,mingetty,sysadm_t,tty_device_t,chr_file,setattr
audit2allow suggests:

#============= sysadm_t ==============
allow sysadm_t tty_device_t:chr_file setattr;

Comment 3 Daniel Walsh 2011-03-02 19:22:33 UTC
Why is sysadm_t running mingetty?


Note You need to log in before you can comment on or make changes to this bug.