FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-16-2008, 11:54 PM
Antonio Olivares
 
Default selinux denies X, but can get in via permissive mode

Dear all,

*** fedora 7 ==> Fedora rawhide machine.

booting with enforcing=0 parameter. Could not su -
before, but with enforcing=0 can now. The following
warning comes up.

How can I fix to boot normally,

Thanks,

Antonio


Summary:

SELinux prevented X from using the terminal /dev/tty7.

Detailed Description:

[SELinux is in permissive mode, the operation would
have been denied but was
permitted due to permissive mode.]

SELinux prevented X from using the terminal /dev/tty7.
In most cases daemons do
not need to interact with the terminal, usually these
avc messages can be
ignored. All of the confined daemons should have
dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context user_u:user_r:user_t
Target Context
system_ubject_r:tty_device_t
Target Objects /dev/tty7 [ chr_file ]
Source X
Source Path /usr/bin/Xorg
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-33.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_daemons_use_tty
Host Name localhost.localdomain
Platform Linux
localhost.localdomain

2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9
20:35:56 EDT 2008 i686
i686
Alert Count 1
First Seen Wed 16 Apr 2008 06:51:08
PM CDT
Last Seen Wed 16 Apr 2008 06:51:08
PM CDT
Local ID
08f38222-ea43-4584-b095-04504b198679
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1208389868.367:37): avc: denied { ioctl }
for pid=2431 comm="X" path="/dev/tty7" dev=tmpfs
ino=237 scontext=user_u:user_r:user_t:s0
tcontext=system_ubject_r:tty_device_t:s0
tclass=chr_file

host=localhost.localdomain type=SYSCALL
msg=audit(1208389868.367:37): arch=40000003 syscall=54
success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f
items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg"
subj=user_u:user_r:user_t:s0 key=(null)






__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-18-2008, 01:56 AM
Antonio Olivares
 
Default selinux denies X, but can get in via permissive mode

--- Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > --- Dennis Jacobfeuerborn
> > <d.jacobfeuerborn@conversis.de> wrote:
> >
> >> Antonio Olivares wrote:
> >>> No, I tried
> >>> # touch ./autorelabel
> >> That should be "touch /.autorelabel"
> >>
> >> Regards,
> >> Dennis
> >>
> >> --
> >> fedora-test-list mailing list
> >> fedora-test-list@redhat.com
> >> To unsubscribe:
> >>
> >
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
> >
> > I did it the right way as you write it correctly.
> But
> > still get a bunch of errors. I have to still boot
> > with enforcing=0 because the selinux denials are
> too
> > much to handle. The setroubleshooter utility
> fires
> > like the fastest guns in the west. It will need
> to
> > wait for a bigger fix than the ones in the avcs
> > message to fix.
> >
> > Regards,
> >
> > Antonio
> >
> >
> >
>
__________________________________________________ __________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
>
> I would try the following commands, they should have
> executed during the
> upgrade.
>
> # semanage user -a -S targeted -P user -R
> "unconfined_r system_r" -r
> s0-s0:c0.c1023 unconfined_u
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 __default__
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 root
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
>
>
iEYEARECAAYFAkgHQtMACgkQrlYvE4MpobODCACfcX5PPphfMl vt2/Ch07zeG2aC
> EPgAoJA67HOTXJljsothzYv27pxx/Lwy
> =rSbx
> -----END PGP SIGNATURE-----
>
> --
> fedora-test-list mailing list
> fedora-test-list@redhat.com
> To unsubscribe:
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
>

Dan,

Thank you very much. The above commands cured the
illness, along with the su - errors as well.

[olivares@localhost ~]$ su -
Password:
[root@localhost ~]#

Regards,

Antonio


__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org