I've not looked at the bash source code for more than a dozen years, so this is just speculation.
Are there any reads from the TTY (stdin, /dev/try, etc.) that would be caused by the script, including processing of ~/.bashrc? If so, bash could be calling ioctl to put the (pseudo)try device (or file descriptor 0) into cooked mode?
You could probably use strace to get to the bottom of it.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Wed, Jan 30, 2019, 13:05 Ian Pilcher <arequipeno@xxxxxxxxx wrote:
This is not strictly an SELinux question, but I figure that someone may
have run across this before and have some idea what's going on.
type=AVC msg=audit(1548870149.222:8945): avc: denied { ioctl } for
pid=20752 comm="bash" path="/etc/pki/radiusd/certmonger-post.sh"
dev="dm-0" ino=8415894 ioctlcmd=5401
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:radiusd_cert_t:s0 tclass=file permissive=0
This occurs when certmonger runs:
'/usr/bin/bash /etc/pki/radiusd/certmonger-post.sh'
Try as a might, I can't think of any reason why bash would be calling
ioctl on a script file, so I'm not sure whether to dontaudit or allow
this (as it seems to be a non-fatal error).
Anyone have any ideas?
Thanks!
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
