Bug 236794
| Summary: | ppp targeted policy denials | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Subhendu Ghosh <sghosh> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | dwalsh, ebenes, ghelleks |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-07 16:39:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Subhendu Ghosh
2007-04-17 17:33:56 UTC
*** Bug 236793 has been marked as a duplicate of this bug. *** I also get AVC denials when trying to sync my phone over bluetooth. PPP is unable to read/write /var/run/pppd2.tdb. If I use 'setenforce 0', I'm able to sync. The pppd2.tbd file seems to get created dynamically to match up connections for multilink. I don't know if it would be better if it was created under /var/run/ppp, though that looks like it would be a build option. This looks like a labeling problem. restorecon /var/run/pppd2.tdb should fix the label on this file. The question is how did it get the wrong label? Also the resolv.conf that it is complaining about is this in /etc or /etc/ppp? re #4: /etc/resolv.conf How do you set this up? Could you check this against the u1 policy. Currently available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5/u1 I believe this is fixed in selinux-policy-2.4.6-71 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Still getting errors:
SYSLOG
May 18 13:23:17 dakar-lap pppd[3279]: pppd 2.4.4 started by root, uid 0
May 18 13:23:18 dakar-lap wvdial[3306]: WvDial: Internet dialer version 1.54.0
May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [*] does not
exist in wvdial.conf
May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [Modem0] does
not exist in wvdial.conf
May 18 13:23:18 dakar-lap wvdial[3306]: Initializing modem.
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATZ
May 18 13:23:18 dakar-lap wvdial[3306]: ATZ
May 18 13:23:18 dakar-lap wvdial[3306]: OK
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
May 18 13:23:18 dakar-lap wvdial[3306]: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
May 18 13:23:18 dakar-lap wvdial[3306]: OK
May 18 13:23:18 dakar-lap wvdial[3306]: Modem initialized.
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATDT#777
May 18 13:23:18 dakar-lap wvdial[3306]: Waiting for carrier.
May 18 13:23:18 dakar-lap wvdial[3306]: ATDT#777
May 18 13:23:20 dakar-lap wvdial[3306]: CONNECT
May 18 13:23:20 dakar-lap wvdial[3306]: Carrier detected. Chatmode finished.
May 18 13:23:20 dakar-lap pppd[3279]: Serial connection established.
May 18 13:23:20 dakar-lap pppd[3279]: Using interface ppp0
May 18 13:23:20 dakar-lap pppd[3279]: Connect: ppp0 <--> /dev/ttyACM0
May 18 13:23:21 dakar-lap kernel: PPP Deflate Compression module registered
May 18 13:23:21 dakar-lap pppd[3279]: Failed to create /etc/ppp/resolv.conf:
Permission denied
May 18 13:23:21 dakar-lap pppd[3279]: local IP address 75.194.109.148
May 18 13:23:21 dakar-lap pppd[3279]: remote IP address 66.174.20.4
May 18 13:23:21 dakar-lap pppd[3279]: primary DNS address 66.174.95.44
May 18 13:23:21 dakar-lap pppd[3279]: secondary DNS address 66.174.92.14
May 18 13:23:21 dakar-lap NET[3384]: /etc/sysconfig/network-scripts/ifup-post :
updated /etc/resolv.conf
May 18 13:23:24 dakar-lap setroubleshoot: SELinux is preventing
/usr/sbin/pppd (pppd_t) "write" access to resolv.conf (p
ppd_etc_t). For complete SELinux messages. run sealert -l
96f1e56f-72f9-4974-94f9-2a4d1dd63e1e
May 18 13:23:57 dakar-lap kernel: Removing netfilter NETLINK layer.
May 18 13:23:57 dakar-lap kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 18 13:23:57 dakar-lap kernel: Netfilter messages via NETLINK v0.30.
May 18 13:23:57 dakar-lap kernel: ip_conntrack version 2.4 (8192 buckets, 65536
max) - 228 bytes per conntrack
May 18 13:24:00 dakar-lap restorecond: Reset file context /etc/resolv.conf:
user_u:object_r:etc_t:s0->system_u:object_r:net_c
onf_t:s0
*********************************************************88
[root@dakar-lap ~]# sealert -l 96f1e56f-72f9-4974-94f9-2a4d1dd63e1e
Summary
SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf
(pppd_etc_t).
Detailed Description
SELinux denied access requested by /usr/sbin/pppd. It is not expected that
this access is required by /usr/sbin/pppd and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for resolv.conf, restorecon -v
resolv.conf. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "pppd_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P pppd_disable_trans=1."
The following command will allow this access:
setsebool -P pppd_disable_trans=1
Additional Information
Source Context system_u:system_r:pppd_t
Target Context root:object_r:pppd_etc_t
Target Objects resolv.conf [ file ]
Affected RPM Packages ppp-2.4.4-1.el5 [application]
Policy RPM selinux-policy-2.4.6-71.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name dakar-lap.lga.redhat.com
Platform Linux dakar-lap.lga.redhat.com 2.6.18-8.1.3.el5 #1
SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686
Alert Count 12
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="pppd" dev=dm-1 egid=0 euid=0
exe="/usr/sbin/pppd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="resolv.conf"
pid=3279 scontext=system_u:system_r:pppd_t:s0 sgid=0
subj=system_u:system_r:pppd_t:s0 suid=0 tclass=file
tcontext=root:object_r:pppd_etc_t:s0 tty=ttyACM0 uid=0
Re #4 - looks like the error is actually with the /etc/ppp/resolv.conf, not /etc/resolv.conf. The latter gets created correctly by ifup-post. I am now torn in actually trying to get this fixed - the SELinux error is the only way I know the ppp connection was setup as NetworkManager does not yet track ppp connections ;) Could you check this with the policy currently available at http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Getting dependency errors:
rpm -Uvh selinux-policy-strict-2.4.6-83.el5.noarch.rpm
selinux-policy-targeted-2.4.6-83.el5.noarch.rpm
error: Failed dependencies:
selinux-policy = 2.4.6-83.el5 is needed by
selinux-policy-strict-2.4.6-83.el5.noarch
selinux-policy = 2.4.6-83.el5 is needed by
selinux-policy-targeted-2.4.6-83.el5.noarch
rpms on disk:
rpm -qa | grep policy
policycoreutils-newrole-1.33.12-12.el5
policycoreutils-1.33.12-12.el5
selinux-policy-2.4.6-80.el5
policycoreutils-gui-1.33.12-12.el5
checkpolicy-1.33.1-2.el5
selinux-policy-targeted-2.4.6-80.el5
ignore #6 - just didn't see the rpm on the web page. Installed 2.4.6-83 rpms, but sestatus still shows Policy version 21. SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted rpm -qa | grep policy selinux-policy-2.4.6-83.el5 selinux-policy-targeted-2.4.6-83.el5 policycoreutils-newrole-1.33.12-12.el5 policycoreutils-1.33.12-12.el5 selinux-policy-strict-2.4.6-83.el5 policycoreutils-gui-1.33.12-12.el5 checkpolicy-1.33.1-2.el5 The selinux error about /etc/ppp/resolv.conf is fixed. Had to reapply context.
ll -Z /etc/ppp/resolv.conf
-rw-r--r-- root root root:object_r:pppd_etc_t /etc/ppp/resolv.conf
restorecon -v /etc/ppp/resolv.conf
restorecon reset /etc/ppp/resolv.conf context
root:object_r:pppd_etc_t:s0->system_u:object_r:pppd_etc_rw_t:s0
ll -Z /etc/ppp/resolv.conf
-rw-r--r-- root root system_u:object_r:pppd_etc_rw_t /etc/ppp/resolv.conf
Now getting errors on /etc/default-routes
sealert -l 858b44a4-5fc2-4e09-b3ab-ff4f839a74d5
Summary
SELinux is preventing /sbin/ip (ifconfig_t) "read" to /etc/default-routes
(net_conf_t).
Detailed Description
SELinux denied access requested by /sbin/ip. It is not expected that this
access is required by /sbin/ip and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /etc/default-routes, restorecon
-v /etc/default-routes If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local
policy module to allow this access - see http://fedora.redhat.com/docs
/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:ifconfig_t
Target Context system_u:object_r:net_conf_t
Target Objects /etc/default-routes [ file ]
Affected RPM Packages iproute-2.6.18-4.el5 [application]
Policy RPM selinux-policy-2.4.6-83.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name dakar-lap.lga.redhat.com
Platform Linux dakar-lap.lga.redhat.com 2.6.18-36.el5 #1
SMP Fri Jul 20 14:26:11 EDT 2007 i686 i686
Alert Count 3
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="ip" dev=dm-1 egid=0 euid=0 exe="/sbin/ip" exit=0
fsgid=0 fsuid=0 gid=0 items=0 path="/etc/default-routes" pid=4660
scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:net_conf_t:s0 tty=(none) uid=0
bash# restorecon -v /etc/default-routes
lstat(/etc/default-routes) failed: No such file or directory
Looks like /etc/default-routes does not exist? BTW Policy Version which is what sestatus reports as 21 and the version of the rpm are two different things. Subhendu, could you please try the latest policy available at link below and reply whether it solves your problem? Thank you. http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/93.el5/ noarch/ Latest policy is available here: http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/101.el5/ noarch/ All the PPP isues are fixed with 93 - thanks An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |