Bug 794485 - SELinux is preventing /lib/systemd/systemd-logind from using the 'sys_tty_config' capabilities.
Summary: SELinux is preventing /lib/systemd/systemd-logind from using the 'sys_tty_con...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8889bcc55b793733123fd9a1341...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-16 22:52 UTC by Tony Browning
Modified: 2012-02-27 17:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-17 14:44:59 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tony Browning 2012-02-16 22:52:28 UTC 
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-7.fc16.i686
reason:         SELinux is preventing /lib/systemd/systemd-logind from using the 'sys_tty_config' capabilities.
time:           Thu Feb 16 17:56:25 2012

description:
:SELinux is preventing /lib/systemd/systemd-logind from using the 'sys_tty_config' capabilities.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemd-logind should have the sys_tty_config capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:systemd_logind_t:s0
:Target Context                system_u:system_r:systemd_logind_t:s0
:Target Objects                Unknown [ capability ]
:Source                        systemd-logind
:Source Path                   /lib/systemd/systemd-logind
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-46.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.0-7.fc16.i686 #1 SMP Tue Nov
:                              1 21:00:16 UTC 2011 i686 i686
:Alert Count                   39
:First Seen                    Mon 13 Feb 2012 03:49:05 AM EST
:Last Seen                     Thu 16 Feb 2012 05:43:39 PM EST
:Local ID                      3bad55b3-3931-461e-bd0d-0840964f476e
:
:Raw Audit Messages
:type=AVC msg=audit(1329432219.420:104): avc:  denied  { sys_tty_config } for  pid=867 comm="systemd-logind" capability=26  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability
:
:
:Hash: systemd-logind,systemd_logind_t,systemd_logind_t,capability,sys_tty_config
:
:audit2allow
:
:#============= systemd_logind_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow systemd_logind_t self:capability sys_tty_config;
:
:audit2allow -R
:
:#============= systemd_logind_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow systemd_logind_t self:capability sys_tty_config;
:
Comment 1 Daniel Walsh 2012-02-17 14:44:59 UTC 
:#============= systemd_logind_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow systemd_logind_t self:capability sys_tty_config;
Comment 2 Tony Browning 2012-02-26 00:59:44 UTC 
Thanks Daniel, I understand now. If I allow it there are no use in reporting it. I was having much trouble and panic I guess. Thanks again.
Comment 3 Daniel Walsh 2012-02-27 17:15:49 UTC 
Ok did you add an allow for this?  I see this allowed in F17, not sure if it has been back ported to F16.
Note You need to log in before you can comment on or make changes to this bug.