Bug 453236
Summary: | selinux-policy-targeted-3.3.1-69.fc9 breaks vpnc | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rob Riggs <rob+redhat> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | fbiete, jcm, jmorris, rjones |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-17 22:04:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob Riggs
2008-06-28 03:55:41 UTC
I find the same problem. VPNC connect but tun0 doesn't get up so the connection is unusable. ---------------- [root@localhost ~]# rpm -q selinux-policy selinux-policy-targeted vpnc selinux-policy-3.3.1-69.fc9.noarch selinux-policy-targeted-3.3.1-69.fc9.noarch vpnc-0.5.1-5.fc9.i386 [root@localhost ~]# /usr/sbin/vpnc /etc/vpnc/gtt.conf Connect Banner: | Esta Accediendo Vd. a una zona restringida. Su tr�fico quedar� auditado. /etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied /etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied VPNC started in background (pid: 9040)... [root@localhost ~]# ifconfig | grep -i tun0 [root@localhost ~]# ifconfig | grep -i tun [root@localhost ~]# [root@localhost ~]# sudo /usr/sbin/vpnc-disconnect Terminating vpnc daemon (pid: 9040) SELINUX IN PERMISSIVE MODE [root@localhost ~]# /usr/sbin/vpnc /etc/vpnc/gtt.conf Connect Banner: | Esta Accediendo Vd. a una zona restringida. Su tr�fico quedar� auditado. VPNC started in background (pid: 17412)... [root@localhost ~]# ifconfig | grep -i tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 [root@localhost ~]# So, it seem to be selinux blocking VPNC, but not new messages appears with ausearch -m avc *** Bug 453360 has been marked as a duplicate of this bug. *** Some data points: * Starting via the NetworkManager wrapper works correctly (reads configuration from standard input, doesn't use /etc/vpnc/vpnc-script). Context of running VPNC instance is as follows: system_u:system_r:vpnc_t:s0 * Starting via command line on any kind of console yields this context: unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 However, the targeted policy (system/unconfied.te) does contain: optional_policy(` vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') Which results in: interface(`vpn_run',` gen_require(` type vpnc_t; ') vpn_domtrans($1) role $2 types vpnc_t; allow vpnc_t $3:chr_file rw_term_perms; sysnet_run_ifconfig(vpnc_t, $2, $3) ') And as far as I can see, this specifically covers the case that we're in an confined context when we call VPNC. Some part of the policy is disallowing the calls to the sysnetwork bits, but even after hours of reading through SE Linux policy documentation and the policy we're shipping, I have yet to figure it out. I will keep at it later on tonight when I've got some free time. Jon. Ah, looking more closely at the sysnetwork policy, we can see: system/sysnetwork.te:39: role system_r types ifconfig_t; Which is why VPNC is specifically allowed to run when started via NetworkManager. Conversely, however, there is no such similar role statement in the unconfined policy. I believe (and so does audit2allow also) that the following addition to system/unconfined.te would at least work around this problem (I will now build a test package): role unconfined_r types ifconfig_t; Jon. Actually, that's going to be too loose as a policy I guess. I'll wait for a comment from Dan as to the best action :) That is the exact fix, and this fix is in Fixed in selinux-policy-3.3.1-72.fc9.noarch Which is in testing. Help me understand then, this will allow unconfined users in general to have access to ifconfig, right? So long as that's desired, this would work. I saw the build in koji, but you did it so quickly after the breakage that I admit I assumed it was unrelated. Will test it. Jon. (there was nothing in the koji visible RPM build logs to suggest that -72 was going to fix this particular policy problem - that's why I discounted it). Confirmed that this fixes the problem, voting for it in bodhi - suggest others test this fix too and then visit http://bodhi.fedoraproject.org/ to vote that this package get good enough karma for release. vpnc/ifconfig recreate file /etc/resolv.conf. So when you run these tools you need to transition to create the files with the correct context. So unconfined_t->vpnc_exec_t->vpnc_t transition is needed to make sure networking labels files correctly. The bug was a RBAC bug, Before Fedora 9 unconfined_u ran in system_r now he runs in unconfined_r, but we had a rule that says unconfined_t->vpnc_exec_t->vpnc_t->ifconfig_exec_t->ifconfig_t But there was no role that says that unconfined_u:unconfined_r:ifconfig_t is a valid context. I had not added a rule that says the ifconfig_t can be run by the unconfined_r role. I usually put lots of fixes into an update and sometimes miss putting some of them in the change log. Sorry about that. If you run vpnc from NetworkManager this all works correctly because NetworkManager runs as system_r and that is valid for ifconfig_t. So only people who ran vpnc directly as root are seeing this bug. Thanks for the explanation :) I had deduced exactly what you just said after many hours of documentation reading last night...had an iffy stomach so couldn't sleep anyway ;) Maybe there's hope for me figuring out selinux-policy! I had to install selinux-policy-targeted in addition to selinux-policy. Just posting it here in case someone misses that detail. Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |