Davide Bolcioni wrote:
Greetings,
I am investigating the following AVCs
Jan 6 18:12:25 camelot kernel: audit(1168103545.309:4): avc: denied { use }
for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745
scontext=root:system_r:tzdata_t:s0-s0:c0.c255
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
Jan 6 18:12:25 camelot kernel: audit(1168103545.310:5): avc: denied { use }
for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745
scontext=root:system_r:tzdata_t:s0-s0:c0.c255
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
which occurred when updating tzdata just after upgrading from Fedora Core 5 to
Fedora Core 6. During the same update I also encountered
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222179
but I did not see the above two lines mentioned (the inode 1745
matched /dev/tty1 at the time). I just tried running tzdata-update from an
xterm and when logged at the console, but the above no longer happens. At
present I have:
$ ls -lZ /dev/tty1
crw--w---- root tty root:object_r:tty_device_t /dev/tty1
so I wonder if the above just got fixed in the meantime or there is some
interaction with pam_console using different labeling from what the policy
expects - I was running in runlevel 1 at the time.
This indicates that you logged in on a terminal and somehow restarted
tzdata, which tried to access the open file descriptor hooked to the
terminal. I have added a locallogin_dontaudit_use_fds(tzdata_t) to the
next policy update.
Thank you for your consideration,
Davide Bolcioni
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
