[Pkg-utopia-maintainers] Bug#521808: selinux violations in consolekit
Ritesh Raj Sarraf
rrs at researchut.com
Mon Mar 30 08:47:06 UTC 2009
Package: consolekit
Version: 0.3.0-2
Severity: normal
Tags: selinux
This could be re-assigned to selinux-policy-default package, if you see
this as a policy problem (and not a consolekit problem).
Summary:
SELinux prevented console-kit-dae from using the terminal tty0.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but
was
permitted due to permissive mode.]
SELinux prevented console-kit-dae from using the terminal tty0. In most
cases
daemons do not need to interact with the terminal, usually these avc
messages
can be ignored. All of the confined daemons should have dontaudit rules
around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0
Target Context system_u:object_r:tty_device_t:s0
Target Objects tty0 [ chr_file ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host champaran
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type default
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_daemons_use_tty
Host Name champaran
Platform Linux champaran 2.6.29-custom #1 SMP Wed
Mar 25
14:59:06 IST 2009 i686
Alert Count 1
First Seen Mon 30 Mar 2009 02:03:42 PM IST
Last Seen Mon 30 Mar 2009 02:03:42 PM IST
Local ID 04383dd8-cfa3-4811-9caf-8a036e6e0186
Line Numbers
Raw Audit Messages
node=champaran type=AVC msg=audit(1238402022.858:53): avc: denied {
read } for pid=4345 comm="console-kit-dae" name="tty0" dev=tmpfs
ino=1368 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
node=champaran type=SYSCALL msg=audit(1238402022.858:53): arch=40000003
syscall=5 success=yes exit=13 a0=80631dc a1=100 a2=10f9 a3=9adce78
items=0 ppid=1 pid=4345 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-custom (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages consolekit depends on:
ii dbus 1.2.12-1 simple interprocess messaging syst
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libck-connector0 0.3.0-2 ConsoleKit libraries
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.80-3 simple interprocess messaging syst
ii libglib2.0-0 2.20.0-2 The GLib library of C routines
ii libx11-6 2:1.2-1 X11 client-side library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages consolekit recommends:
ii libpam-ck-connector 0.3.0-2 ConsoleKit PAM module
consolekit suggests no packages.
-- no debconf information
More information about the Pkg-utopia-maintainers
mailing list