Bug 585804

Summary: SELinux is preventing /usr/sbin/pppd "read" access on /var/lock/LCK..ttyUSB0.
Product: [Fedora] Fedora Reporter: Cássio Magno <kenmatrix>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, ehud.kaldor, jskala, mgrepl, michiel, zoinkle_burp
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5199095f8a1b9e7c3d3c80a6c3d9c59958621afe54945f861f12f880e647314e
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-17 15:57:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cássio Magno 2010-04-26 05:49:50 UTC 
Sumário:

SELinux is preventing /usr/sbin/pppd "read" access on /var/lock/LCK..ttyUSB0.

Descrição detalhada:

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informações adicionais:

Contexto de origem            system_u:system_r:pppd_t:s0
Contexto de destino           unconfined_u:object_r:var_lock_t:s0
Objetos de destino            /var/lock/LCK..ttyUSB0 [ file ]
Origem                        pppd
Caminho da origem             /usr/sbin/pppd
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         ppp-2.4.5-8.fc12
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-110.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.32.11-102.fc12.i686.PAE
                              #1 SMP Tue Apr 13 15:51:45 UTC 2010 i686 i686
Contador de alertas           2
Visto pela primeira vez em    Qua 21 Abr 2010 15:37:53 BRT
Visto pela última vez em     Qua 21 Abr 2010 15:38:35 BRT
ID local                      9e143e27-9cca-48bb-abaa-d432055484a8
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1271875115.334:27004): avc:  denied  { read } for  pid=7642 comm="pppd" name="LCK..ttyUSB0" dev=sda2 ino=131675 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1271875115.334:27004): arch=40000003 syscall=5 success=no exit=-13 a0=e16900 a1=0 a2=0 a3=e16900 items=0 ppid=1290 pid=7642 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)



Hash String generated from  catchall,pppd,pppd_t,var_lock_t,file,read
audit2allow suggests:

#============= pppd_t ==============
allow pppd_t var_lock_t:file read;
Comment 1 Daniel Walsh 2010-04-26 13:52:10 UTC 
Is pppd being started when you insert a usb stick?  

Reassigning to pppd people to see if they have an idea.  I have a feeling you can ignore this for now.
Comment 2 Jiri Skala 2010-04-27 12:00:50 UTC 
Dan, this is good question... I didn't observe starting pppd when USB stick is inserted.

Well, I'd like to forward this question to reporter. Please, could you answer comment #1?
Comment 3 Jiri Skala 2010-07-13 12:49:12 UTC 
I don't currently see any possible action from ppp side therefore switching back to selinux-policy.
Comment 4 Daniel Walsh 2010-08-19 11:35:05 UTC 
Are you still seeing this problem?
Comment 5 Bug Zapper 2010-11-03 16:18:58 UTC 
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Lech 2010-11-11 03:20:55 UTC 
If it's closed and "not a bug" then why is it preventing my mobile broadband connection from working? What's the fix?

I'm running F14.
Comment 7 Daniel Walsh 2010-11-11 14:30:14 UTC 
Lech 

could you try this

# semanage permissive -a pppd_t

Then try your mobile broadand.

When you are done, attach the output of

ausearch -m avc -ts recent
Comment 8 michiel 2010-11-16 12:14:57 UTC 
F14 has /var/lock root:root

should unpoeterred: root:lock with group rwx

works for rxtx

maybe this has anything to do with mobile-connection?
Comment 9 Lech 2010-11-17 00:39:44 UTC 
Hi Daniel,

Thanks, I changed the SELinux settings graphically to permissive (and have since disabled SELinux anyway), which seemed to fix the problem in my case.