Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   selinux denies X, but can get in via permissive mode (http://www.linux-archive.org/fedora-selinux-support/71060-selinux-denies-x-but-can-get-via-permissive-mode.html)

Antonio Olivares 04-16-2008 11:54 PM
selinux denies X, but can get in via permissive mode
 
Dear all,

*** fedora 7 ==> Fedora rawhide machine.

booting with enforcing=0 parameter. Could not su -
before, but with enforcing=0 can now. The following
warning comes up.

How can I fix to boot normally,

Thanks,

Antonio


Summary:

SELinux prevented X from using the terminal /dev/tty7.

Detailed Description:

[SELinux is in permissive mode, the operation would
have been denied but was
permitted due to permissive mode.]

SELinux prevented X from using the terminal /dev/tty7.
In most cases daemons do
not need to interact with the terminal, usually these
avc messages can be
ignored. All of the confined daemons should have
dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context user_u:user_r:user_t
Target Context
system_u:object_r:tty_device_t
Target Objects /dev/tty7 [ chr_file ]
Source X
Source Path /usr/bin/Xorg
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-33.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_daemons_use_tty
Host Name localhost.localdomain
Platform Linux
localhost.localdomain

2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9
20:35:56 EDT 2008 i686
i686
Alert Count 1
First Seen Wed 16 Apr 2008 06:51:08
PM CDT
Last Seen Wed 16 Apr 2008 06:51:08
PM CDT
Local ID
08f38222-ea43-4584-b095-04504b198679
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1208389868.367:37): avc: denied { ioctl }
for pid=2431 comm="X" path="/dev/tty7" dev=tmpfs
ino=237 scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:tty_device_t:s0
tclass=chr_file

host=localhost.localdomain type=SYSCALL
msg=audit(1208389868.367:37): arch=40000003 syscall=54
success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f
items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg"
subj=user_u:user_r:user_t:s0 key=(null)






__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Antonio Olivares 04-18-2008 01:56 AM
selinux denies X, but can get in via permissive mode
 
--- Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > --- Dennis Jacobfeuerborn
> > <d.jacobfeuerborn@conversis.de> wrote:
> >
> >> Antonio Olivares wrote:
> >>> No, I tried
> >>> # touch ./autorelabel
> >> That should be "touch /.autorelabel"
> >>
> >> Regards,
> >> Dennis
> >>
> >> --
> >> fedora-test-list mailing list
> >> fedora-test-list@redhat.com
> >> To unsubscribe:
> >>
> >
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
> >
> > I did it the right way as you write it correctly.
> But
> > still get a bunch of errors. I have to still boot
> > with enforcing=0 because the selinux denials are
> too
> > much to handle. The setroubleshooter utility
> fires
> > like the fastest guns in the west. It will need
> to
> > wait for a bigger fix than the ones in the avcs
> > message to fix.
> >
> > Regards,
> >
> > Antonio
> >
> >
> >
>
__________________________________________________ __________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
>
> I would try the following commands, they should have
> executed during the
> upgrade.
>
> # semanage user -a -S targeted -P user -R
> "unconfined_r system_r" -r
> s0-s0:c0.c1023 unconfined_u
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 __default__
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 root
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
>
>
iEYEARECAAYFAkgHQtMACgkQrlYvE4MpobODCACfcX5PPphfMl vt2/Ch07zeG2aC
> EPgAoJA67HOTXJljsothzYv27pxx/Lwy
> =rSbx
> -----END PGP SIGNATURE-----
>
> --
> fedora-test-list mailing list
> fedora-test-list@redhat.com
> To unsubscribe:
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
>

Dan,

Thank you very much. The above commands cured the
illness, along with the su - errors as well.

[olivares@localhost ~]$ su -
Password:
[root@localhost ~]#

Regards,

Antonio


__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 12:52 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.