Bug 162955
| Summary: | SELinux stops pppd loading SpeedTouch module | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pete Chown <2> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-07-18 14:12:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I am adding this policy
# pppd needs to load kernel modules for certain modems
bool pppd_can_insmod false;
if (pppd_can_insmod) {
ifdef(`modutil.te', `
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}
You will have to
setsebool -P pppd_can_insmod 1
Could you try that and see if it works?
It does work -- thank you. Fixed in selinux-policy-targeted-1.25.2-3 Just wanted to let you know: I updated selinux-policy-targeted today, and this issue is now resolved. Thanks for fixing this so quickly. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: When a SpeedTouch USB ADSL modem is used, pppd attempts to load the relevant kernel modules. Presumably these would be speedtch, pppoatm and usb_atm. However, the default SELinux policy prevents pppd from loading any kernel module. To get around this problem I had to include the following rules in my local policy: allow pppd_t insmod_exec_t:file { execute getattr execute_no_trans read }; allow pppd_t modules_conf_t:file { getattr read }; allow pppd_t modules_object_t:dir search; allow pppd_t modules_object_t:file { getattr lock read write }; allow pppd_t self:capability sys_module; I suspect this is the wrong answer, because allowing pppd to load modules effectively makes it unconstrained. :-( However, I'm not clear what alternatives exist. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.24-3 How reproducible: Always Steps to Reproduce: 1. Install a SpeedTouch ADSL modem. 2. Install the software, in particular the modem firmware, which is not distributed with Fedora for copyright reasons. Set up the details of an ADSL connection in pppd's configuration files. 3. Ensure that the targeted policy is selected and that SELinux is set to enforcing. 4. Arrange for pppd to be run on system boot, for example by placing a command in /etc/rc.local (eg "/usr/sbin/pppd call kerneladsl"). Note that pppd seems to run successfully if it is started by root from the console -- perhaps in this case it runs in the unconfined domain? 5. Reboot system. Actual Results: Pppd fails with various AVC messages. Expected Results: Pppd should start and bring the ADSL line up. Additional info: