I've not looked at the bash source code for more than a dozen years, so this is just speculation.
Are there any reads from the TTY (stdin, /dev/try, etc.) that would be caused by the script, including processing of ~/.bashrc? If so, bash could be calling ioctl to put the (pseudo)try device (or file descriptor 0) into cooked mode? You could probably use strace to get to the bottom of it. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us. On Wed, Jan 30, 2019, 13:05 Ian Pilcher <[email protected] wrote: > This is not strictly an SELinux question, but I figure that someone may > have run across this before and have some idea what's going on. > > type=AVC msg=audit(1548870149.222:8945): avc: denied { ioctl } for > pid=20752 comm="bash" path="/etc/pki/radiusd/certmonger-post.sh" > dev="dm-0" ino=8415894 ioctlcmd=5401 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:radiusd_cert_t:s0 tclass=file permissive=0 > > This occurs when certmonger runs: > > '/usr/bin/bash /etc/pki/radiusd/certmonger-post.sh' > > Try as a might, I can't think of any reason why bash would be calling > ioctl on a script file, so I'm not sure whether to dontaudit or allow > this (as it seems to be a non-fatal error). > > Anyone have any ideas? > > Thanks! > > -- > ======================================================================== > Ian Pilcher [email protected] > -------- "I grew up before Mark Zuckerberg invented friendship" -------- > ======================================================================== > _______________________________________________ > Selinux mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. >
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
