Bug 846575 - SELinux is preventing /bin/login from 'write' accesses on the directory log.
SELinux is preventing /bin/login from 'write' accesses on the directory log.
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:0be688f33c9153e7216df6a9be4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-08 03:26 EDT by Artur Szymczak
Modified: 2013-02-13 21:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 21:02:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Artur Szymczak 2012-08-08 03:26:01 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.7-1.fc16.x86_64
time:           śro, 8 sie 2012, 09:29:27

description:
:SELinux is preventing /bin/login from 'write' accesses on the directory log.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If aby login powinno mieć domyślnie write dostęp do log directory.
:Then proszę to zgłosić jako błąd.
:Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
:Do
:można tymczasowo zezwolić na ten dostęp wykonując polecenia:
:# grep login /var/log/audit/audit.log | audit2allow -M mojapolityka
:# semodule -i mojapolityka.pp
:
:Additional Information:
:Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:var_log_t:s0
:Target Objects                log [ dir ]
:Source                        login
:Source Path                   /bin/login
:Port                          <Nieznane>
:Host                          (removed)
:Source RPM Packages           util-linux-2.20.1-2.3.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-91.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.7-1.fc16.x86_64 #1 SMP
:                              Mon Jul 30 16:37:23 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    wto, 7 sie 2012, 23:03:20
:Last Seen                     śro, 8 sie 2012, 09:22:43
:Local ID                      ab9536b9-8ca7-48ca-a3e4-cd97800c1fdb
:
:Raw Audit Messages
:type=AVC msg=audit(1344410563.342:46): avc:  denied  { write } for  pid=1017 comm="login" name="log" dev="dm-1" ino=787586 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1344410563.342:46): arch=x86_64 syscall=open success=no exit=EACCES a0=404bca a1=42 a2=0 a3=40 items=0 ppid=1 pid=1017 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=1 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
:
:Hash: login,local_login_t,var_log_t,dir,write
:
:audit2allow
:
:#============= local_login_t ==============
:#!!!! The source type 'local_login_t' can write to a 'dir' of the following types:
:# pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, cgroup_t, var_lock_t, var_auth_t, tmp_t, var_t, user_tmp_t, auth_cache_t, faillog_t
:
:allow local_login_t var_log_t:dir write;
:
:audit2allow -R
:
:#============= local_login_t ==============
:#!!!! The source type 'local_login_t' can write to a 'dir' of the following types:
:# pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, cgroup_t, var_lock_t, var_auth_t, tmp_t, var_t, user_tmp_t, auth_cache_t, faillog_t
:
:allow local_login_t var_log_t:dir write;
:
:
Comment 1 Artur Szymczak 2012-08-08 03:29:07 EDT
Steps to reproduce problem:

- login as root on console (tty2)


Additional info:

# find / -inum 787586 -type d
/var/log
# ls -Zd /var/log
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   /var/log
Comment 2 Miroslav Grepl 2012-08-08 04:56:53 EDT
I see we allow this in F17.


Could you switch to permissive

# semanage permissive -a local_login_t 

re-create it and then execute

# ausearch -m avc -su local_login_t |audit2allow -M mylocallogin
# semodule -i mylocallogin.pp
# semanage permissive -d local_login_t
Comment 3 Fedora End Of Life 2013-02-13 21:02:10 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.