abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.0.0-1.fc16.x86_64 reason: SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl. time: Sat Sep 3 11:42:36 2011 description: :SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that chfn should be allowed getattr access on the gpmctl sock_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep chfn /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:chfn_t:s0 :Target Context system_u:object_r:gpmctl_t:s0 :Target Objects /dev/gpmctl [ sock_file ] :Source chfn :Source Path /usr/bin/chfn :Port <Unknown> :Host (removed) :Source RPM Packages util-linux-2.19.1-2.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-15.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.0.0-1.fc16.x86_64 #1 SMP Fri : Jul 22 16:09:29 UTC 2011 x86_64 x86_64 :Alert Count 1 :First Seen Sat 03 Sep 2011 10:39:48 AM CLST :Last Seen Sat 03 Sep 2011 10:39:48 AM CLST :Local ID 18c7d39a-93c0-40f6-b487-cc5d7f8d07e6 : :Raw Audit Messages :type=AVC msg=audit(1315057188.476:86): avc: denied { getattr } for pid=2245 comm="chfn" path="/dev/gpmctl" dev=devtmpfs ino=12756 scontext=unconfined_u:unconfined_r:chfn_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file : : :type=SYSCALL msg=audit(1315057188.476:86): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffd89b96d0 a1=7fffd89b4fa0 a2=7fffd89b4fa0 a3=0 items=0 ppid=2214 pid=2245 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=chfn exe=/usr/bin/chfn subj=unconfined_u:unconfined_r:chfn_t:s0 key=(null) : :Hash: chfn,chfn_t,gpmctl_t,sock_file,getattr : :audit2allow : :#============= chfn_t ============== :allow chfn_t gpmctl_t:sock_file getattr; : :audit2allow -R : :#============= chfn_t ============== :allow chfn_t gpmctl_t:sock_file getattr; :
Does everything work as you expect?
*** Bug 735557 has been marked as a duplicate of this bug. ***
*** Bug 735558 has been marked as a duplicate of this bug. ***
*** Bug 735559 has been marked as a duplicate of this bug. ***
*** Bug 735560 has been marked as a duplicate of this bug. ***
*** Bug 735561 has been marked as a duplicate of this bug. ***
*** Bug 735562 has been marked as a duplicate of this bug. ***
*** Bug 735563 has been marked as a duplicate of this bug. ***
*** Bug 735564 has been marked as a duplicate of this bug. ***
*** Bug 735565 has been marked as a duplicate of this bug. ***
*** Bug 735566 has been marked as a duplicate of this bug. ***
*** Bug 735567 has been marked as a duplicate of this bug. ***
*** Bug 735568 has been marked as a duplicate of this bug. ***
*** Bug 735570 has been marked as a duplicate of this bug. ***
*** Bug 735571 has been marked as a duplicate of this bug. ***
*** Bug 735572 has been marked as a duplicate of this bug. ***
*** Bug 735573 has been marked as a duplicate of this bug. ***
*** Bug 735574 has been marked as a duplicate of this bug. ***
*** Bug 735575 has been marked as a duplicate of this bug. ***
*** Bug 735576 has been marked as a duplicate of this bug. ***
*** Bug 735577 has been marked as a duplicate of this bug. ***
*** Bug 735578 has been marked as a duplicate of this bug. ***
*** Bug 735579 has been marked as a duplicate of this bug. ***
*** Bug 735581 has been marked as a duplicate of this bug. ***
*** Bug 735582 has been marked as a duplicate of this bug. ***
*** Bug 735583 has been marked as a duplicate of this bug. ***
PLEASE do not just hit report bug like this, it just becomes a pain for us to handle. If you see lots of AVC messages all related to the same problem, please report one bug and then tell us you got lots of AVC's. This will make us a lot more efficient.
util-linux guys, any idea why chfn would stat every device?
Miroslav since we already have dev_dontaudit_getattr_all(useradd_t) this is probably the same problem, and we should just add dev_dontaudit_getattr_all(chfn_t)
(In reply to comment #28) > util-linux guys, any idea why chfn would stat every device? I don't understand the question. It doesn't work with devices. try strace -e open,stat,fstat -o ~/log chfn or send complete strace.
Probably a rogue pam module. I would figure pam_finger
Is it possible that this is the ttyname() problem? And that the real solution is to allow getattr on the tty devices than to dontaudit all getattrs for these utilities?
(In reply to comment #32) > Is it possible that this is the ttyname() problem? Good point. By default ttyname() reads /proc/self/fd/1 symlink, for example: readlink("/proc/self/fd/0", "/dev/pts/1", 4095) = 10 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 and if this way is unsuccessful then it scans (readdir + stat) "/dev/pts" and "/dev" directories :-( Anyway I don't see any reason why chfn(1) should not be able to read /proc/self/fd/* files.
I guess it depends on what those are links to. I am not sure what the label of /dev/pts/1 is, that is triggering the problem git patch 7493a8faf03525018b2ba0531deb816aa66f60a8 Allows all of chfn, passwd, useradd, groupadd to getattr on any pty. Should show up in selinux-policy-3.10.0-46.fc16
I guess that the problem is fixed now. Closing.