Bug 518918

Summary: problem access pptp client
Product: [Fedora] Fedora Reporter: Alexander <al.damyanov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 11CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: SeLinux Policy
Fixed In Version: 3.6.12-80.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-28 21:56:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexander 2009-08-24 07:22:15 UTC

SELinux is preventing sh (pptp_t) "dac_override" pptp_t.

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          cave.xxxxxxxxxxx.com
Source RPM Packages           bash-4.0-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     cave.xxxxxxxxxxx.com
Platform                      Linux cave.xxxxxxxxxxx.com
                     #1 SMP Sat Aug 15
                              01:06:26 EDT 2009 x86_64 x86_64
Alert Count                   194
First Seen                    Sun 23 Aug 2009 10:32:46 PM EEST
Last Seen                     Mon 24 Aug 2009 10:11:26 AM EEST
Local ID                      2566b98c-716b-494b-9639-3c3db79b9f8e
Line Numbers                  

Raw Audit Messages            

node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc:  denied  { dac_override } for  pid=4077 comm="sh" capability=1 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability

node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc:  denied  { dac_read_search } for  pid=4077 comm="sh" capability=2 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability

node=cave.xxxxxxxxxxx.com type=SYSCALL msg=audit(1251097886.860:30993): arch=c000003e syscall=4 success=no exit=-13 a0=4a1773 a1=7fffb2089160 a2=7fffb2089160 a3=2 items=0 ppid=4075 pid=4077 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):11

Comment 1 Daniel Walsh 2009-08-24 13:26:35 UTC
Seems reasonable.

Comment 2 Miroslav Grepl 2009-08-24 13:40:20 UTC
You can allow this for now using

# grep pptp /var/log/audit/audit.log | audit2allow -M mypptp
# semodule -i mypptp.pp

Comment 3 Miroslav Grepl 2009-08-24 15:38:36 UTC
Fixed in selinux-policy-3.6.12-80.fc11

Comment 4 Fedora Update System 2009-08-24 15:44:35 UTC
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.

Comment 5 Fedora Update System 2009-08-25 04:26:18 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895

Comment 6 Fedora Update System 2009-08-28 21:56:16 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.