Bug 569986

Summary: SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd (pppd_exec_t).
Product: [Fedora] Fedora Reporter: Vinicius Borges da Silva <vinyciusunderground2>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl, vinyciusunderground2
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:eb464c06d7ada629154ae9dfa4f51d4cd0837fadfadf94d3af1b450b82db1c85
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-02 21:22:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vinicius Borges da Silva 2010-03-02 21:11:48 UTC 
Sumário:

SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd
(pppd_exec_t).

Descrição detalhada:

SELinux denied access requested by ifup-ppp. It is not expected that this access
is required by ifup-ppp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permitindo acesso:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/sbin/pppd,

restorecon -v '/usr/sbin/pppd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1
                              023
Contexto de destino           system_u:object_r:pppd_exec_t:s0
Objetos de destino            /usr/sbin/pppd [ file ]
Origem                        ifup-ppp
Caminho da origem             /bin/bash
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         bash-3.2-22.fc9
Pacotes RPM de destino        ppp-2.4.4-6.fc9
RPM da política              selinux-policy-3.3.1-42.fc9
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall_file
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.25-14.fc9.i686 #1
                              SMP Thu May 1 06:28:41 EDT 2008 i686 i686
Contador de alertas           3
Visto pela primeira vez em    Dom 13 Dez 2009 21:39:45 BRST
Visto pela última vez em     Dom 13 Dez 2009 21:42:25 BRST
ID local                      690fdb31-f546-4ad2-9f7a-ed53b9e9aeb1
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1260747745.893:20): avc:  denied  { getattr } for  pid=2761 comm="ifup-ppp" path="/usr/sbin/pppd" dev=sda5 ino=1324531 scontext=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1260747745.893:20): arch=40000003 syscall=195 success=no exit=-13 a0=9049a10 a1=bfffa89c a2=2b1ff4 a3=9049a12 items=0 ppid=2512 pid=2761 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-ppp" exe="/bin/bash" subj=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall_file,ifup-ppp,usernetctl_t,pppd_exec_t,file,getattr
audit2allow suggests:libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 to sid
Comment 1 Daniel Walsh 2010-03-02 21:22:53 UTC 
You are reporting an F12 bug with F9 policy

*** This bug has been marked as a duplicate of bug 538428 ***