-
Bug
-
Resolution: Done-Errata
-
Minor
-
rhel-8.9.0
-
selinux-policy-3.14.3-136.el8
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
25
-
None
-
QE ack
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
Trying to execute tlog-rec as a confined user, there is no AVC but the command is failing to spawn the command being recorded:
[staff@vm-rhel8 ~]$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 [staff@vm-rhel8 ~]$ tlog-rec -o log.out echo hello Locale charset is ANSI_X3.4-1968 (ASCII) Assuming locale environment is lost and charset is UTF-8 Failed adding a utmp record Success Failed removing utmp record Failed setting up the I/O tap
There is no AVC because of a dontaudit rule:
term_dontaudit_use_ptmx(utempter_t)
This rule has to be removed from the policy and the proper rule be added, since it's required to let utempter_t write/read/getattr on the ptmx, by design:
term_use_ptmx(utempter_t)
Please provide the package NVR for which bug is seen:
RHEL8, RHEL9 and Upstream policy.
How reproducible:
Always, see above.
- clones
-
RHEL-24946 Cannot execute "tlog-rec" as a confined user [rhel-9]
- Closed
- links to
-
RHBA-2023:121335 selinux-policy bug fix and enhancement update
- mentioned on