Hide Forgot
SELinux is preventing /bin/systemd-tty-ask-password-agent from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that systemd-tty-ask-password-agent should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:system_r:systemd_passwd_agent_t:s0 Target Objects Unknown [ capability ] Source systemd-tty-ask Source Path /bin/systemd-tty-ask-password-agent Port <Unbekannt> Host (removed) Source RPM Packages systemd-19-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-rc7-00142-g212e349 #267 Sat Mar 5 21:22:31 CET 2011 i686 i686 Alert Count 3 First Seen So 06 Mär 2011 12:49:22 CET Last Seen So 06 Mär 2011 13:35:02 CET Local ID 266ae09b-6a80-444d-b44d-1d437f1f24a3 Raw Audit Messages type=AVC msg=audit(1299414902.482:558): avc: denied { dac_override } for pid=870 comm="systemd-tty-ask" capability=1 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability type=AVC msg=audit(1299414902.482:558): avc: denied { open } for pid=870 comm="systemd-tty-ask" name="tty4" dev=tmpfs ino=6107 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1299414902.482:558): arch=i386 syscall=open success=yes exit=ENOEXEC a0=8cd9338 a1=80901 a2=80518c4 a3=0 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,systemd_passwd_agent_t,capability,dac_override audit2allow #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t self:capability dac_override; #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t user_tty_device_t:chr_file open; audit2allow -R #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t self:capability dac_override; #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t user_tty_device_t:chr_file open;
I think systemd_passwd_agent_t is opening a connection to the logged in user?
Thomas how did you get this to happen?
*** Bug 682529 has been marked as a duplicate of this bug. ***
(In reply to comment #2) > Thomas how did you get this to happen? I don't know anymore. I don't get this alert anymore. I guess we can close this one. I'll reopen when I see this again.