[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

tzdata-update AVC caused by pam_console ?

From: Davide Bolcioni <dblistsub-fedora yahoo it>
To: Fedora SELinux list <fedora-selinux-list redhat com>
Subject: tzdata-update AVC caused by pam_console ?
Date: Wed, 24 Jan 2007 23:48:43 +0100

Greetings,
I am investigating the following AVCs

Jan  6 18:12:25 camelot kernel: audit(1168103545.309:4): avc:  denied  { use } 
for  pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 
scontext=root:system_r:tzdata_t:s0-s0:c0.c255 
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
Jan  6 18:12:25 camelot kernel: audit(1168103545.310:5): avc:  denied  { use } 
for  pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 
scontext=root:system_r:tzdata_t:s0-s0:c0.c255 
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd

which occurred when updating tzdata just after upgrading from Fedora Core 5 to 
Fedora Core 6. During the same update I also encountered

  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222179

but I did not see the above two lines mentioned (the inode 1745 
matched /dev/tty1 at the time). I just tried running tzdata-update from an 
xterm and when logged at the console, but the above no longer happens. At 
present I have:

  $ ls -lZ /dev/tty1
  crw--w----  root tty root:object_r:tty_device_t       /dev/tty1

so I wonder if the above just got fixed in the meantime or there is some 
interaction with pam_console using different labeling from what the policy 
expects - I was running in runlevel 1 at the time.

Thank you for your consideration,
Davide Bolcioni
-- 
There is no place like /home.

Follow-Ups:
- Re: tzdata-update AVC caused by pam_console ?
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]