Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453248 - security_compute_sid: invalid context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023
Summary: security_compute_sid: invalid context unconfined_u:unconfined_r:ifconfig_t:s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-28 10:56 UTC by Miloslav Trmač
Modified: 2008-07-02 12:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-02 12:27:20 UTC


Attachments (Terms of Use)

Description Miloslav Trmač 2008-06-28 10:56:25 UTC
Description of problem:
(cd /; sudo /usr/sbin/vpnc) connects, but setting up the network fails with
about 15 messages:
/etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied
... and so on.

audit.log contains the following:

type=SELINUX_ERR msg=audit(1214650324.205:212): security_compute_sid:  invalid
context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1214650324.205:212): arch=40000003 syscall=11 success=no
exit=-13 a0=8a1da98 a1=8a2f4e8 a2=8a19c98 a3=0 items=0 ppid=11903 pid=11904
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="vpnc-script" exe="/bin/bash"
subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
(... and so on, repeated several times.)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-69.fc9.noarch
AFAICT this started happening after upgrading to this policy.

Additional info:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -Z /usr/bin/sudo /usr/sbin/vpnc /etc/vpnc/vpnc-script /sbin/ip /sbin/ifconfig 
-rwxr-xr-x  root root system_u:object_r:etc_t:s0       /etc/vpnc/vpnc-script
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ifconfig
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ip
---s--x--x  root root system_u:object_r:sudo_exec_t:s0 /usr/bin/sudo
-rwxr-xr-x  root root system_u:object_r:vpnc_exec_t:s0 /usr/sbin/vpnc

Relabeling didn't fix the problem.

Comment 1 Miloslav Trmač 2008-07-02 12:27:20 UTC
Seems to work with selinux-policy-3.3.1-72.fc9.noarch.


Note You need to log in before you can comment on or make changes to this bug.