tzdata-update AVC caused by pam_console ?
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 25 13:21:07 UTC 2007
Davide Bolcioni wrote:
> Greetings,
> I am investigating the following AVCs
>
> Jan 6 18:12:25 camelot kernel: audit(1168103545.309:4): avc: denied { use }
> for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745
> scontext=root:system_r:tzdata_t:s0-s0:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
> Jan 6 18:12:25 camelot kernel: audit(1168103545.310:5): avc: denied { use }
> for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745
> scontext=root:system_r:tzdata_t:s0-s0:c0.c255
> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
>
> which occurred when updating tzdata just after upgrading from Fedora Core 5 to
> Fedora Core 6. During the same update I also encountered
>
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222179
>
> but I did not see the above two lines mentioned (the inode 1745
> matched /dev/tty1 at the time). I just tried running tzdata-update from an
> xterm and when logged at the console, but the above no longer happens. At
> present I have:
>
> $ ls -lZ /dev/tty1
> crw--w---- root tty root:object_r:tty_device_t /dev/tty1
>
> so I wonder if the above just got fixed in the meantime or there is some
> interaction with pam_console using different labeling from what the policy
> expects - I was running in runlevel 1 at the time.
>
>
This indicates that you logged in on a terminal and somehow restarted
tzdata, which tried to access the open file descriptor hooked to the
terminal. I have added a locallogin_dontaudit_use_fds(tzdata_t) to the
next policy update.
> Thank you for your consideration,
> Davide Bolcioni
>
More information about the fedora-selinux-list
mailing list