Selinux warning?

[Daniel J Walsh]

Tom Diehl wrote:
> On Mon, 2 Jan 2006, Daniel J Walsh wrote:
>
>   
>> Tom Diehl wrote:
>>     
>>> Hi all,
>>>
>>> I have an EL4 box that every time I do su - vmail I get the following warnings
>>> in the log:
>>>
>>> Dec 31 12:25:22 roger su(pam_unix)[2055]: session opened for user vmail by root(uid=0)
>>> Dec 31 12:25:22 roger su[2055]: Warning!  Could not relabel /dev/pts/3 with user_u:object_r:initrc_devpts_t, not relabeling.Operation not permitted
>>>
>>> (roger pts4) # ll -Z /dev/pts/3
>>> crw-------  root     tty      root:object_r:initrc_devpts_t    /dev/pts/3
>>> (roger pts4) #
>>>
>>>       
>> Not sure why your tty is labeled initrc_devpts_t.   You could try to 
>> remove pam_selinux.so lines from your /etc/pam.d/su file and this should 
>> work fine.
>>     
>
> This is a fully updated stock EL4 installation with no mods to pam or selinux.
> Is this some kind of bug or do the tty's need to be relabeled?? As far as I
> can tell, everything is working normally except for the warnings. In addition
> I looked a little harder and the warnings are showing up whenever I "su -" to
> any user.
>
> What if any downside is there to removing the pam_selinux.so lines as you
> suggested above?
>
> I would prefer to understand what is going on here. Unfortunately it is taking
> me way longer than I would like, to understand selinux. :-(
>
>   
The pam_selinux.so lines were originally put in for strict/mls policy.  
They should have no effect for targeted policy, as you are seeing.  The 
problem is that they are trying to set the the file context on a 
controlling terminal and policy is not allowing this.  But this has no 
effect since you end up logging in as unconfined anyways.
> Regards,
>
> Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com
>