Bug 502302
Summary: | selinux avc on vpnc connect | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | David O'Brien <daobrien> |
Component: | vpnc | Assignee: | Huzaifa S. Sidhpurwala <huzaifas> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | el5 | CC: | dwalsh, mastahnke, tmraz, tremble, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ActualBug | ||
Fixed In Version: | vpnc-0.5.3-8.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-28 05:37:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David O'Brien
2009-05-23 11:08:54 UTC
This is a leaked file descriptor in vpnc. vpnc should call fcntl(socket, F_SETFD, FD_CLOEXEC) On all open file descriptors before executing any jobs. You can allow this for now by executing # grep vpnc /var/log/audit/audit.log | audit2allow -M myvpnc # semodule -i myvpnc.pp This will build a custom policy module and install it allowing the access, and eliminate the AVC. Thanks Dan. New module works fine. David Hi, https://admin.fedoraproject.org/updates/vpnc-0.5.3-6.el5 Can you test this and let me know if it clears the selinux errors. I'd like to, but... - I no longer have RHEL 5.2 installed, only 5.4 - I checked the epel repo and there doesn't seem to be any updates there - The vpnc build that I have is 0.4.0-2.el5 (quite old) Any other volunteers for testing (me not being very technical)? Sorry. Hi David, You dont need 5.2 , 5.4 will do just fine. You can go the link i posted and download the rpm and test if you want :) Thanks. David, For reference, at that point the update was in the testing repository. "yum update --enablerepo=epel-testing vpnc" would have allowed you to install the updated version. vpnc-0.5.3-6.el5 is now in the stable repository, any chance you could confirm that this bug has been fixed? Hi Mark I'm currently using: vpnc-0.5.3-8.el5 rhel 5.4 with 2.6.18-164.11.1.el5 and I'm not getting any of the avc denials I was seeing before. (This is on a physical box, btw, not the VM I was using before.) thanks Thanks David, in that case I'll close this ticket off. The VM/Physical box shouldn't make a difference if it's the guest that gave the AVC last time. |