libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.7-1.fc16.x86_64 time: śro, 8 sie 2012, 09:29:27 description: :SELinux is preventing /bin/login from 'write' accesses on the directory log. : :***** Plugin catchall (100. confidence) suggests *************************** : :If aby login powinno mieć domyślnie write dostęp do log directory. :Then proszę to zgłosić jako błąd. :Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. :Do :można tymczasowo zezwolić na ten dostęp wykonując polecenia: :# grep login /var/log/audit/audit.log | audit2allow -M mojapolityka :# semodule -i mojapolityka.pp : :Additional Information: :Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 :Target Context system_u:object_r:var_log_t:s0 :Target Objects log [ dir ] :Source login :Source Path /bin/login :Port <Nieznane> :Host (removed) :Source RPM Packages util-linux-2.20.1-2.3.fc16.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-91.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.7-1.fc16.x86_64 #1 SMP : Mon Jul 30 16:37:23 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen wto, 7 sie 2012, 23:03:20 :Last Seen śro, 8 sie 2012, 09:22:43 :Local ID ab9536b9-8ca7-48ca-a3e4-cd97800c1fdb : :Raw Audit Messages :type=AVC msg=audit(1344410563.342:46): avc: denied { write } for pid=1017 comm="login" name="log" dev="dm-1" ino=787586 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1344410563.342:46): arch=x86_64 syscall=open success=no exit=EACCES a0=404bca a1=42 a2=0 a3=40 items=0 ppid=1 pid=1017 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=1 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) : :Hash: login,local_login_t,var_log_t,dir,write : :audit2allow : :#============= local_login_t ============== :#!!!! The source type 'local_login_t' can write to a 'dir' of the following types: :# pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, cgroup_t, var_lock_t, var_auth_t, tmp_t, var_t, user_tmp_t, auth_cache_t, faillog_t : :allow local_login_t var_log_t:dir write; : :audit2allow -R : :#============= local_login_t ============== :#!!!! The source type 'local_login_t' can write to a 'dir' of the following types: :# pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, cgroup_t, var_lock_t, var_auth_t, tmp_t, var_t, user_tmp_t, auth_cache_t, faillog_t : :allow local_login_t var_log_t:dir write; : :
Steps to reproduce problem: - login as root on console (tty2) Additional info: # find / -inum 787586 -type d /var/log # ls -Zd /var/log drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log
I see we allow this in F17. Could you switch to permissive # semanage permissive -a local_login_t re-create it and then execute # ausearch -m avc -su local_login_t |audit2allow -M mylocallogin # semodule -i mylocallogin.pp # semanage permissive -d local_login_t
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.