Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162214 - selinux breaks pppd
Summary: selinux breaks pppd
Keywords:
Status: CLOSED DUPLICATE of bug 162200
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-30 21:01 UTC by Fuji TSO
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-19 06:45:10 UTC


Attachments (Terms of Use)

Description Fuji TSO 2005-06-30 21:01:35 UTC
Description of problem:
With the targeted policy enforcing, mgetty fails to invoke pppd.

I've updated to selinux-policy-targeted-1.23.18-17 and forced a relabeling by
creating /.autorelabel and rebooting, but the problem persists.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Every time

Steps to Reproduce:
1. Upgrade from FC3 to FC4, configure mgetty and pppd as a dial-in server
2. Update to selinux-policy-targeted-1.23.18-17
3. Attempt to dial-in to the system

Actual results:
If selinux is enforcing, mgetty fails to start pppd:

Jun 30 14:03:56 oneringydingy mgetty[1964]: cannot execute '/usr/sbin/pppd':
Permission denied
Jun 30 14:03:56 oneringydingy kernel: audit(1120154636.031:2): avc:  denied  {
search } for  pid=1964 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir

If selinux is permissive, pppd works, but these messages are logged:

Jun 30 14:28:12 oneringydingy mgetty[2088]: data dev=ttyS46, pid=2088,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.715:4): avc:  denied  {
search } for  pid=2088 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:5): avc:  denied  {
execute } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:6): avc:  denied  {
execute_no_trans } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:7): avc:  denied  {
read } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.421:8): avc:  denied  {
search } for  pid=2088 comm="pppd" name=ppp dev=hda1 ino=32851
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:9): avc:  denied  {
read } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:10): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:11): avc:  denied  {
setuid } for  pid=2088 comm="pppd" capability=7
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:12): avc:  denied  {
search } for  pid=2088 comm="pppd" name=root dev=hda1 ino=63841
scontext=system_u:system_r:getty_t tcontext=root:object_r:user_home_dir_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.568:13): avc:  denied  {
read write } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:13 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the
University of California
Jun 30 14:28:13 oneringydingy kernel: PPP generic driver version 2.4.2
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.957:14): avc:  denied  {
net_admin } for  pid=2088 comm="pppd" capability=12
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:15): avc:  denied  {
read } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:16): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.959:17): avc:  denied  {
create } for  pid=2088 comm="pppd" scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:getty_t tclass=udp_socket
Jun 30 14:28:13 oneringydingy pppd[2088]: pppd 2.4.2 started by a_ppp, uid 0
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.321:18): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:14 oneringydingy pppd[2088]: Using interface ppp0
Jun 30 14:28:14 oneringydingy pppd[2088]: Connect: ppp0 <--> /dev/ttyS46
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:19): avc:  denied  {
read } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:20): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:15 oneringydingy kernel: audit(1120156095.689:21): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=[7800] dev=sockfs ino=7800
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=udp_socket
Jun 30 14:28:16 oneringydingy pppd[2088]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received
Jun 30 14:28:16 oneringydingy pppd[2088]: found interface eth0 for proxy arp
Jun 30 14:28:16 oneringydingy pppd[2088]: local  IP address 1.1.1.1
Jun 30 14:28:16 oneringydingy pppd[2088]: remote IP address 1.1.1.28
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.230:22): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:23): avc:  denied  {
setgid } for  pid=2631 comm="pppd" capability=6
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:24): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:25): avc:  denied  {
execute_no_trans } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:26): avc:  denied  {
read } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:27): avc:  denied  {
read } for  pid=2088 comm="pppd" name=[7859] dev=pipefs ino=7859
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:28): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:29): avc:  denied  {
read } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.440:30): avc:  denied  {
read write } for  pid=2631 comm="ip-up" name=tty dev=tmpfs ino=2191
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devtty_t
tclass=chr_file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:31): avc:  denied  {
read } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:32): avc:  denied  {
getattr } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.485:33): avc:  denied  {
ioctl } for  pid=2631 comm="ip-up" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.545:34): avc:  denied  {
read } for  pid=2632 comm="ip-up" name=sh dev=hda1 ino=63765
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Jun 30 14:28:52 oneringydingy pppd[2088]: LCP terminated by peer (User request)
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.952:35): avc:  denied  {
execute } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.955:36): avc:  denied  {
execute_no_trans } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1
ino=33139 scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t
tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.029:37): avc:  denied  {
ioctl } for  pid=2640 comm="ifdown-post" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.049:38): avc:  denied  {
getattr } for  pid=2643 comm="sed" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.129:39): avc:  denied  {
write } for  pid=2642 comm="basename" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file

Expected results:
ppp connection should be successful.

Additional info:

Comment 1 Daniel Walsh 2005-07-03 15:26:46 UTC
Fixed in selinux-policy-targeted-1.24-3

Comment 2 Walter Justen 2005-08-19 06:45:10 UTC

*** This bug has been marked as a duplicate of 162200 ***


Note You need to log in before you can comment on or make changes to this bug.