Bug 459352

Summary: SELinux prevents NetworkManager access to pppd which is required for 3g mobile broadband
Product: [Fedora] Fedora Reporter: Paul Ross <car.insurance3>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-18 16:41:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Ross 2008-08-17 09:14:52 UTC 
Description of problem:

If, under NetworkManager, you select the GSM Network Connection then the connection fails. SELinux then warns that it has blocked access to pppd from NetworkManager, with the following information:

SummarySELinux is preventing pppd (pppd_t) "read write" to ./pppd2.tdb 
(var_run_t). 

Detailed Description

SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./pppd2.tdb, restorecon -v './pppd2.tdb' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 


Version-Release number of selected component (if applicable):

NetworkManager-gnome-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-glib-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-0.7.0-0.9.4.svn3675.fc9.i386
libselinux-devel-2.0.67-4.fc9.i386
libselinux-python-2.0.67-4.fc9.i386
selinux-policy-3.3.1-84.fc9.noarch
libselinux-2.0.67-4.fc9.i386
selinux-policy-devel-3.3.1-84.fc9.noarch
selinux-policy-targeted-3.3.1-84.fc9.noarch
rp-pppoe-3.8-3.fc9.i386
ppp-2.4.4-7.fc9.i386



How reproducible:

100%

Steps to Reproduce:
1.Boot the machine and log in to the GNOME desktop
2.On the bottom right, click on the NetworkManager icon
3.Select "Auto GSM network connection"
4.Observe the SELinux star appear
  
Actual results:

SELinux prevents access to pppd preventing the machine from using 3g mobile broadband.

Expected results:

SELinux should allow access to pppd allowing the machine to access 3g mobile broadband services

Additional info:
Comment 1 Daniel Walsh 2008-08-18 11:47:08 UTC 
Did you run the restorecon command?  Did this fix the problem?

# restorecon -R -v /var/run/ppp*

I believe the problem is the file is somehow mislabled.  If you can figure out which process created this file that is probably the cuplret.

If it is created via an init script we might need to add a restorecon command to the init script.
Comment 2 Paul Ross 2008-08-18 16:41:32 UTC 
Yes, a relabel fixed it.