Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 453248

Summary: security_compute_sid: invalid context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: clasohm, jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-02 12:27:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Miloslav Trmač 2008-06-28 10:56:25 UTC
Description of problem:
(cd /; sudo /usr/sbin/vpnc) connects, but setting up the network fails with
about 15 messages:
/etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied
... and so on.

audit.log contains the following:

type=SELINUX_ERR msg=audit(1214650324.205:212): security_compute_sid:  invalid
context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1214650324.205:212): arch=40000003 syscall=11 success=no
exit=-13 a0=8a1da98 a1=8a2f4e8 a2=8a19c98 a3=0 items=0 ppid=11903 pid=11904
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="vpnc-script" exe="/bin/bash"
subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
(... and so on, repeated several times.)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-69.fc9.noarch
AFAICT this started happening after upgrading to this policy.

Additional info:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -Z /usr/bin/sudo /usr/sbin/vpnc /etc/vpnc/vpnc-script /sbin/ip /sbin/ifconfig 
-rwxr-xr-x  root root system_u:object_r:etc_t:s0       /etc/vpnc/vpnc-script
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ifconfig
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ip
---s--x--x  root root system_u:object_r:sudo_exec_t:s0 /usr/bin/sudo
-rwxr-xr-x  root root system_u:object_r:vpnc_exec_t:s0 /usr/sbin/vpnc

Relabeling didn't fix the problem.

Comment 1 Miloslav Trmač 2008-07-02 12:27:20 UTC
Seems to work with selinux-policy-3.3.1-72.fc9.noarch.