Bug 467116

Summary: SELinux is preventing nm-vpnc-service (NetworkManager_t) "signull" to <Unknown> (vpnc_t)
Product: [Fedora] Fedora Reporter: Stefan Becker <chemobejk>
Component: NetworkManager-vpncAssignee: Dan Williams <dcbw>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: davidz, dcbw, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-30 09:43:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Becker 2008-10-15 20:01:52 UTC 
When there is an unclean shutdown of the VPN SELinux prevents killing of vpnc process.

selinux-policy-3.3.1-95.fc9.noarch
selinux-policy-targeted-3.3.1-95.fc9.noarch
NetworkManager-0.7.0-0.11.svn4175.fc9.i386
NetworkManager-gnome-0.7.0-0.11.svn4175.fc9.i386
NetworkManager-glib-0.7.0-0.11.svn4175.fc9.i386
NetworkManager-vpnc-0.7.0-0.11.svn4175.fc9.i386
vpnc-0.5.1-6.fc9.i386



sealert output:

Oct 15 00:13:06 l3f1199 setroubleshoot: SELinux is preventing nm-vpnc-service
(NetworkManager_t) "signull" to <Unknown> (vpnc_t). For complete SELinux
messages. run sealert -l 97e371ff-dd92-4022-bb54-0265cc9b8a3a
Summary:

SELinux is preventing nm-vpnc-service (NetworkManager_t) "signull" to <Unknown>
(vpnc_t).                                                                      

Detailed Description:

SELinux denied access requested by nm-vpnc-service. It is not expected that
this
access is required by nm-vpnc-service and this access may signal an intrusion   
attempt. It is also possible that the specific version or configuration of the  
application is causing it to require additional access.                         

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)   
against this package.                                                          

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:vpnc_t:s0          
Target Objects                None [ process ]                     
Source                        nm-vpnc-service                      
Source Path                   /usr/libexec/nm-vpnc-service         
Port                          <Unknown>                            
Host                          l3f1199                              
Source RPM Packages           NetworkManager-vpnc-0.7.0-0.11.svn4175.fc9
Target RPM Packages                                                     
Policy RPM                    selinux-policy-3.3.1-95.fc9               
Selinux Enabled               True                                      
Policy Type                   targeted                                  
MLS Enabled                   True                                      
Enforcing Mode                Enforcing                                 
Plugin Name                   catchall                                  
Host Name                     l3f1199
Platform                      Linux l3f1199 2.6.26.5-45.fc9.i686 #1 SMP Sat Sep
                              20 03:45:00 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Tue Oct 14 22:59:08 2008
Last Seen                     Wed Oct 15 00:13:06 2008
Local ID                      97e371ff-dd92-4022-bb54-0265cc9b8a3a
Line Numbers

Raw Audit Messages

host=l3f1199 type=AVC msg=audit(1224018786.173:55): avc:  denied  { signull }
for  pid=13789 comm="nm-vpnc-service"
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:vpnc_t:s0 tclass=process

host=l3f1199 type=SYSCALL msg=audit(1224018786.173:55): arch=40000003
syscall=37 success=no exit=-13 a0=35f1 a1=0 a2=35f1 a3=bf9dfedc items=0
ppid=7505 pid=13789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-vpnc-service"
exe="/usr/libexec/nm-vpnc-service" subj=system_u:system_r:NetworkManager_t:s0
key=(null)
Comment 1 Dan Williams 2008-10-15 23:01:40 UTC 
Dan: relevant for 5.3, f8, f9, and rawhide...  the same code is in the pptp and openvpn plugins, let me know if you need more details
Comment 2 Daniel Walsh 2008-10-16 18:56:31 UTC 
Fixed in selinux-policy-3.3.1-103.fc9.noarch

Fixed in selinux-policy-3.0.8-121.fc8

Fixed in selinux-policy-2.4.6-166.el5 

Fixed in selinux-policy-3.5.12-2.fc10.noarch