SELinux Archive on
 help / Atom feed
* Re: Why is bash calling ioctl?
       [not found] <>
@ 2019-01-30 18:16 ` Stephen Smalley
  0 siblings, 0 replies; 1+ messages in thread
From: Stephen Smalley @ 2019-01-30 18:16 UTC (permalink / raw)
  To: Ian Pilcher, SELinux

On 1/30/19 12:59 PM, Ian Pilcher wrote:
> This is not strictly an SELinux question, but I figure that someone may
> have run across this before and have some idea what's going on.
>   type=AVC msg=audit(1548870149.222:8945): avc:  denied  { ioctl } for 
> pid=20752 comm="bash" path="/etc/pki/radiusd/" 
> dev="dm-0" ino=8415894 ioctlcmd=5401 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:radiusd_cert_t:s0 tclass=file permissive=0
> This occurs when certmonger runs:
>    '/usr/bin/bash /etc/pki/radiusd/'
> Try as a might, I can't think of any reason why bash would be calling
> ioctl on a script file, so I'm not sure whether to dontaudit or allow
> this (as it seems to be a non-fatal error).
> Anyone have any ideas?

(corrected list address to the new list location; please note for future 

ioctlcmd=5401 is TCGETS.  This is used by isatty() to probe whether a 
descriptor refers to a tty.  bash is checking whether the descriptor is 
a tty.  You can generally dontaudit harmlessly.

^ permalink raw reply	[flat|nested] 1+ messages in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <>
2019-01-30 18:16 ` Why is bash calling ioctl? Stephen Smalley

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox