Bug 521415

Summary: setroubleshoot: SELinux is preventing ip-up "entrypoint" access on /etc/ppp/ip-up.
Product: [Fedora] Fedora Reporter: seventhguardian
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl, seventhguardian
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c2bd5a8cf638f488d9750ece5167ac5564a41a846f593234ebd33b66ebdf04d6
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-06 19:59:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description seventhguardian 2009-09-05 15:45:51 UTC 
The following was filed automatically by setroubleshoot:

Resumo:

SELinux is preventing ip-up "entrypoint" access on /etc/ppp/ip-up.

Descrição Detalhada:

[ip-up has a permissive type (initrc_t). This access was not denied.]

SELinux denied access requested by ip-up. It is not expected that this access is
required by ip-up and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

A Permitir o Acesso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Informação Adicional:

Contexto de Origem            system_u:system_r:initrc_t:s0
Contexto de Destino           system_u:object_r:pppd_initrc_exec_t:s0
Objectos de Destino           /etc/ppp/ip-up [ file ]
Fonte                         ip-up
Caminho de Origem             /bin/bash
Porto                         <Desconhecida>
Máquina                      (removed)
Pacotes RPM Fonte             bash-4.0.28-2.fc12
Pacotes RPM Destino           initscripts-8.97-1
RPM da Política              selinux-policy-3.6.30-2.fc12
Selinux Activo                True
Tipo de Política             targeted
MLS Activo                    True
Modo de Execução Forçada   Enforcing
Nome do Plugin                catchall
Nome da Máquina              (removed)
Plataforma                    Linux (removed) 2.6.31-0.199.rc8.git2.fc12.x86_64
                              #1 SMP Wed Sep 2 20:54:49 EDT 2009 x86_64 x86_64
Contador de Alertas           2
Primeira Vez Visto            Sáb 05 Set 2009 16:30:39 WEST
Última Vez Visto             Sáb 05 Set 2009 16:43:57 WEST
ID Local                      9adc34c0-f148-4b2a-bee7-5bbf6c59c46d
Números de Linha             

Mensagens de Auditoria em Bru 

node=(removed) type=AVC msg=audit(1252165437.722:62): avc:  denied  { entrypoint } for  pid=2996 comm="pppd" path="/etc/ppp/ip-up" dev=dm-2 ino=21769 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1252165437.722:62): arch=c000003e syscall=59 success=yes exit=0 a0=7f088c179388 a1=7fffc8cb4380 a2=7f088c828030 a3=7fffc8cb4020 items=0 ppid=2982 pid=2996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip-up" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null)


audit2allow suggests:

#============= initrc_t ==============
allow initrc_t pppd_initrc_exec_t:file entrypoint;
Comment 1 Daniel Walsh 2009-09-06 19:59:04 UTC 
Fixed in selinux-policy-3.6.30-4.fc12.noarch