Description of problem: SELinux is preventing /usr/sbin/agetty from setattr access on the chr_file ttyUSB0. Version-Release number of selected component (if applicable): 3.10.0-156.fc17 How reproducible: always Steps to Reproduce: just instantiate a getty for a USB tty Actual results: access is denied Expected results: access should be allowed Additional info: Source Context system_u:system_r:getty_t:s0 Target Context system_u:object_r:usbtty_device_t:s0 Target Objects ttyUSB0 [ chr_file ] Source agetty Source Path /usr/sbin/agetty Port <Unbekannt> Host pc1 Source RPM Packages util-linux-2.21.2-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-156.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pc1 Platform Linux pc1 3.6.2-4.fc17.x86_64 #1 SMP Wed Oct 17 02:43:21 UTC 2012 x86_64 x86_64 Alert Count 8 First Seen 2012-10-27 18:24:53 CEST Last Seen 2012-10-27 18:26:04 CEST Local ID 2a2d7075-d371-4664-9a01-b702671907a0 Raw Audit Messages type=AVC msg=audit(1351355164.336:211): avc: denied { setattr } for pid=3901 comm="agetty" name="ttyUSB0" dev="devtmpfs" ino=134048 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1351355164.336:211): arch=x86_64 syscall=chown success=no exit=EACCES a0=7fff45c60980 a1=0 a2=5 a3=7fff45c5fce0 items=0 ppid=1 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=agetty exe=/usr/sbin/agetty subj=system_u:system_r:getty_t:s0 key=(null) Hash: agetty,getty_t,usbtty_device_t,chr_file,setattr
seinfo -aserial_device -x serial_device virtio_device_t user_tty_device_t tty_device_t usbtty_device_t sesearch --allow -s getty_t -t serial_device Found 1 semantic av rules: allow getty_t tty_device_t : chr_file { ioctl read write getattr setattr lock append open } ;
Added also to F18.
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Now the permission for read and write is missing. If we keep going this way I think we'll end up with two lines yust differ in the target context. But there is an attribute serial_device (see comment #1). Is it possible to replace this rule: allow getty_t tty_device_t : chr_file { ioctl read write getattr setattr lock append open } ; by this: allow getty_t serial_device : chr_file { ioctl read write getattr setattr lock append open } ; Additional Information: Source Context system_u:system_r:getty_t:s0 Target Context system_u:object_r:usbtty_device_t:s0 Target Objects ttyUSB0 [ chr_file ] Source agetty Source Path /usr/sbin/agetty Port <Unbekannt> Host pc1 Source RPM Packages util-linux-2.21.2-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-159.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pc1 Platform Linux pc1 3.6.5-1.fc17.x86_64 #1 SMP Wed Oct 31 19:37:18 UTC 2012 x86_64 x86_64 Alert Count 7 First Seen 2012-11-07 19:06:05 CET Last Seen 2012-11-07 19:07:06 CET Local ID 5fb6bda9-1b20-40ca-b216-d6c95221f504 Raw Audit Messages type=AVC msg=audit(1352311626.150:109): avc: denied { read write } for pid=2533 comm="agetty" name="ttyUSB0" dev="devtmpfs" ino=28372 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1352311626.150:109): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff4c9e94f0 a1=902 a2=0 a3=7fff4c9e8850 items=0 ppid=1 pid=2533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=agetty exe=/usr/sbin/agetty subj=system_u:system_r:getty_t:s0 key=(null) Hash: agetty,getty_t,usbtty_device_t,chr_file,read,write
This rule needs attention, too: sesearch --allow -s local_login_t -t serial_device Found 1 semantic av rules: allow local_login_t tty_device_t : chr_file { ioctl read write getattr setattr lock relabelfrom relabelto append open } ;
This permissions are required on my system so far: getty_t needs chr_file { read write ioctl open getattr }; local_login_t needs chr_file { setattr read ioctl write relabelfrom getattr relabelto open };
Better yet define usbtty_device_t as a term_tty(), which will make it a ttynode and give getty this access. 031ce92aa92c3ecde51df7c3e1762a79aba0c240 in F18 does this
Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback).
(In reply to comment #7) > Better yet define usbtty_device_t as a term_tty(), which will make it a > ttynode and give getty this access. > > 031ce92aa92c3ecde51df7c3e1762a79aba0c240 in F18 does this Backported.
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This problem seems to have returned in Fedora 29: SELinux is preventing agetty from setattr access on the chr_file ttyUSB0 ... SELinux is preventing login from 'read, write' accesses on the chr_file /dev/ttyUSB0. ... SELinux is preventing login from ioctl access on the chr_file /dev/ttyUSB0. ... SELinux is preventing login from getattr access on the chr_file ttyUSB0. ... SELinux is preventing login from setattr access on the chr_file ttyUSB0. ... SELinux is preventing login from open access on the chr_file /dev/ttyUSB0. SELinux is preventing unix_chkpwd from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing login from relabelfrom access on the chr_file ttyUSB0. SELinux is preventing login from relabelto access on the chr_file ttyUSB0. SELinux is preventing login from getattr access on the chr_file /dev/ttyUSB0. SELinux is preventing login from ioctl access on the chr_file /dev/ttyUSB0. SELinux is preventing login from write access on the chr_file /dev/ttyUSB0. SELinux is preventing login from setattr access on the chr_file ttyUSB0. SELinux is preventing login from read access on the chr_file ttyUSB0. SELinux is preventing login from open access on the chr_file /dev/ttyUSB0. SELinux is preventing login from relabelfrom access on the chr_file ttyUSB0. SELinux is preventing agetty from setattr access on the chr_file ttyUSB0. SELinux is preventing login from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing unix_chkpwd from 'read, write' accesses on the chr_file /dev/ttyUSB0. SELinux is preventing login from setattr access on the chr_file ttyUSB0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that login should be allowed setattr access on the ttyUSB0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'login' --raw | audit2allow -M my-login # semodule -X 300 -i my-login.pp Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:object_r:usbtty_device_t:s0 Target Objects ttyUSB0 [ chr_file ] Source login Source Path login Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-51.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lucy-001 Platform Linux lucy-001 4.20.16-200.fc29.x86_64 #1 SMP Thu Mar 14 15:10:22 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-03-19 22:17:49 PDT Last Seen 2019-03-19 22:17:49 PDT Local ID 92524490-5c36-45e6-a654-71a73009f6cb Raw Audit Messages type=AVC msg=audit(1553059069.410:840): avc: denied { setattr } for pid=1876 comm="login" name="ttyUSB0" dev="devtmpfs" ino=24592 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file permissive=1 Hash: login,local_login_t,usbtty_device_t,chr_file,setattr