selinux denies X, but can get in via permissive mode

Antonio Olivares olivares14031 at yahoo.com
Wed Apr 16 23:54:17 UTC 2008 

Dear all,

*** fedora 7 ==> Fedora rawhide machine.

booting with enforcing=0 parameter.  Could not su - 
before, but with enforcing=0 can now.  The following
warning comes up.  

How can I fix to boot normally,

Thanks,

Antonio 


Summary:

SELinux prevented X from using the terminal /dev/tty7.

Detailed Description:

[SELinux is in permissive mode, the operation would
have been denied but was
permitted due to permissive mode.]

SELinux prevented X from using the terminal /dev/tty7.
In most cases daemons do
not need to interact with the terminal, usually these
avc messages can be
ignored. All of the confined daemons should have
dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                user_u:user_r:user_t
Target Context               
system_u:object_r:tty_device_t
Target Objects                /dev/tty7 [ chr_file ]
Source                        X
Source Path                   /usr/bin/Xorg
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages          
xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9
Target RPM Packages           
Policy RPM                   
selinux-policy-3.3.1-33.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_daemons_use_tty
Host Name                     localhost.localdomain
Platform                      Linux
localhost.localdomain
                             
2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9
                              20:35:56 EDT 2008 i686
i686
Alert Count                   1
First Seen                    Wed 16 Apr 2008 06:51:08
PM CDT
Last Seen                     Wed 16 Apr 2008 06:51:08
PM CDT
Local ID                     
08f38222-ea43-4584-b095-04504b198679
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC
msg=audit(1208389868.367:37): avc:  denied  { ioctl }
for  pid=2431 comm="X" path="/dev/tty7" dev=tmpfs
ino=237 scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:tty_device_t:s0
tclass=chr_file

host=localhost.localdomain type=SYSCALL
msg=audit(1208389868.367:37): arch=40000003 syscall=54
success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f
items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg"
subj=user_u:user_r:user_t:s0 key=(null)






      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the fedora-selinux-list mailing list