selinux denies X, but can get in via permissive mode

Antonio Olivares olivares14031 at
Wed Apr 16 23:54:17 UTC 2008

Dear all,

*** fedora 7 ==> Fedora rawhide machine.

booting with enforcing=0 parameter.  Could not su - 
before, but with enforcing=0 can now.  The following
warning comes up.  

How can I fix to boot normally,




SELinux prevented X from using the terminal /dev/tty7.

Detailed Description:

[SELinux is in permissive mode, the operation would
have been denied but was
permitted due to permissive mode.]

SELinux prevented X from using the terminal /dev/tty7.
In most cases daemons do
not need to interact with the terminal, usually these
avc messages can be
ignored. All of the confined daemons should have
dontaudit rules around using
the terminal. Please file a bug report
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                user_u:user_r:user_t
Target Context               
Target Objects                /dev/tty7 [ chr_file ]
Source                        X
Source Path                   /usr/bin/Xorg
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages          
Target RPM Packages           
Policy RPM                   
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_daemons_use_tty
Host Name                     localhost.localdomain
Platform                      Linux
2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9
                              20:35:56 EDT 2008 i686
Alert Count                   1
First Seen                    Wed 16 Apr 2008 06:51:08
Last Seen                     Wed 16 Apr 2008 06:51:08
Local ID                     
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC
msg=audit(1208389868.367:37): avc:  denied  { ioctl }
for  pid=2431 comm="X" path="/dev/tty7" dev=tmpfs
ino=237 scontext=user_u:user_r:user_t:s0

host=localhost.localdomain type=SYSCALL
msg=audit(1208389868.367:37): arch=40000003 syscall=54
success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f
items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg"
subj=user_u:user_r:user_t:s0 key=(null)

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the fedora-selinux-list mailing list