Selinux message F-12 -
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 14 13:07:40 UTC 2009
On 12/14/2009 06:01 AM, Bob Goodwin wrote:
>
> I keep seeing a star icon in the F-12 box which produces the message
> below. I wonder if it has anything to do with my ssh problems?
>
> What does it mean? What must I do to satisfy it?
>
> Bob
>
> #
>
> Summary:
>
> SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1
> "sys_tty_config" access.
>
> Detailed Description:
>
> [polkit-agent-he has a permissive type (policykit_auth_t). This access
> was not
> denied.]
>
> SELinux denied access requested by polkit-agent-he. It is not expected
> that this
> access is required by polkit-agent-he and this access may signal an
> intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a
> bug
> report.
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
> 0.c1023
> Target Context
> unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
> 0.c1023
> Target Objects None [ capability ]
> Source polkit-agent-he
> Source Path /usr/libexec/polkit-1/polkit-agent-helper-1
> Port <Unknown>
> Host box6
> Source RPM Packages polkit-0.95-0.git20090913.3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-55.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name box6
> Platform Linux box6 2.6.31.6-166.fc12.i686.PAE #1
> SMP Wed
> Dec 9 11:00:30 EST 2009 i686 i686
> Alert Count 10
> First Seen Wed 09 Dec 2009 10:03:47 AM EST
> Last Seen Sun 13 Dec 2009 07:36:40 PM EST
> Local ID 71279b6b-af71-4208-85fe-64503a292646
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1260751000.112:20114): avc: denied {
> sys_tty_config } for pid=15535 comm="polkit-agent-he" capability=26
> scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023
> tclass=capability
>
> node=box6 type=SYSCALL msg=audit(1260751000.112:20114): arch=40000003
> syscall=54 success=yes exit=0 a0=2 a1=5401 a2=bfa30888 a3=bfa3099c
> items=0 ppid=14661 pid=15535 auid=501 uid=501 gid=501 euid=0 suid=0
> fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=1
> comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1"
> subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>
> .
>
I am not sure why policykit_auth_t would need to configure the tty and I am dontauditing it in the next update release. Which I will
push as soon as fedora infastructure gets put back up.
Fixed in selinux-policy-3.6.32-59.fc12.noarch
More information about the users
mailing list