Bug 765767 - SELinux is preventing /sbin/rsyslogd from 'open' accesses on the chr_file 1.
Summary: SELinux is preventing /sbin/rsyslogd from 'open' accesses on the chr_file 1.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:50d77ea8bff4579ab975cd5f60c...
: 765768 784698 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-09 11:26 UTC by Douglas Furlong
Modified: 2012-03-06 13:00 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.10.0-75.fc16
Clone Of:
Environment:
Last Closed: 2012-02-02 17:24:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (2.77 KB, text/plain)
2011-12-09 11:26 UTC, Douglas Furlong 		no flags Details
View All

Description Douglas Furlong 2011-12-09 11:26:50 UTC 
libreport version: 2.0.7
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.4-1.fc16.x86_64
reason:         SELinux is preventing /sbin/rsyslogd from 'open' accesses on the chr_file 1.
time:           Fri 09 Dec 2011 11:25:16 GMT

description:    Text file, 2840 bytes
Comment 1 Douglas Furlong 2011-12-09 11:26:53 UTC 
Created attachment 544487 [details]
File: description
Comment 2 Miroslav Grepl 2011-12-09 12:36:04 UTC 
*** Bug 765768 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2011-12-09 12:39:42 UTC 
Does it happen by default?
Comment 4 Miroslav Grepl 2011-12-09 12:44:38 UTC 
Tomas,
any idea why rsyslogd needs to use user pty?
Comment 5 Daniel Walsh 2011-12-13 20:08:37 UTC 
Douglas did you setup syslog to write to the users pty?
Comment 6 Douglas Furlong 2011-12-15 16:21:43 UTC 
Afternoon all

Sorry for taking so long to get back to you.

This was a base install without any modification.

p.s. sorry for the duplicate bug post.
Comment 7 Tomas Heinrich 2011-12-21 12:24:13 UTC 
(In reply to comment #4)
> Tomas,
> any idea why rsyslogd needs to use user pty?

Perhaps emergency (wall) messages?
(But I'm not sure how probable that is.)
Comment 8 Daniel Walsh 2011-12-22 15:53:52 UTC 
The command it was executing is:

rs:main Q:Reg
Comment 9 Tomas Heinrich 2012-01-31 16:00:11 UTC 
I'm able to reproduce it with

# setenforce 0
# echo l > /proc/sysrq-trigger

/var/log/audit/audit.log:
type=AVC msg=audit(1328020365.437:66): avc:  denied  { open } for  pid=643 comm=72733A6D61696E20513A526567 name="1" dev=devpts ino=4 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

rsyslog-5.8.7-1.fc16
kernel-3.2.2-1.fc16
selinux-policy-targeted-3.10.0-72.fc16.noarch

This generates messages with priority kern.emerg<0>, kern.warning<4> and the daemon attempts to write them to all users.
This looks like a reasonable use case and probably should be allowed in the policy.
Comment 10 Daniel Walsh 2012-01-31 16:13:59 UTC 
This can be allowed via a disabled boolean.  I don't think this is that common, and I am not crazy about a root process that can be potentially tricked by apps to convince users to do crazy things...

syslog_use_tty
Comment 11 Fedora Update System 2012-02-01 13:18:57 UTC 
selinux-policy-3.10.0-75.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-75.fc16
Comment 12 Fedora Update System 2012-02-01 19:25:57 UTC 
Package selinux-policy-3.10.0-75.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-75.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1133/selinux-policy-3.10.0-75.fc16
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-02-02 17:24:59 UTC 
selinux-policy-3.10.0-75.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Tomas Heinrich 2012-03-06 13:00:44 UTC 
*** Bug 784698 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.