Bug 672054

Summary: AVCs while using xl2tpd
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-89.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 18:49:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ruben Kerkhof 2011-01-23 15:48:19 UTC 
Description of problem:

Opening a vpn connection results in the following AVCs:

type=AVC msg=audit(1295797298.171:39383): avc:  denied  { execute } for  pid=19532 comm="pppd" name="unix_chkpwd" dev=vd
a1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1295797298.171:39383): avc:  denied  { read open } for  pid=19532 comm="pppd" name="unix_chkpwd" dev=
vda1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1295797298.171:39383): avc:  denied  { execute_no_trans } for  pid=19532 comm="pppd" path="/sbin/unix
_chkpwd" dev=vda1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file

I'm using xl2tpd and pam authentication.
Comment 1 Daniel Walsh 2011-01-24 15:33:31 UTC 
Looks like we need to add

auth_domtrans_chk_passwd(pppd_t)
Comment 2 Miroslav Grepl 2011-01-24 15:39:21 UTC 
Ruben,
if you create the following local policy 

# cat mypol.te
policy_module(mypol,1.0)

require{
 type pppd_t;
}

auth_domtrans_chk_passwd(pppd_t)



and then execute

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp


does it work?
Comment 3 Ruben Kerkhof 2011-01-24 16:30:00 UTC 
Hi Miroslav,

Yes, this works great, thanks!

There are only 2 AVCs left now:
type=AVC msg=audit(1295885268.911:46236): avc:  denied  { write } for  pid=12710 comm="pppd" name="wtmp" dev=vda1 ino=27047 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:o
bject_r:wtmp_t:s0 tclass=file

and 

type=AVC msg=audit(1295885268.902:46234): avc:  denied  { setsched } for  pid=12710 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=pro
cess
Comment 4 Miroslav Grepl 2011-01-27 13:11:06 UTC 
Fixed in selinux-policy-3.7.19-87.fc13
Comment 5 Fedora Update System 2011-02-04 10:31:45 UTC 
selinux-policy-3.7.19-89.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 6 Fedora Update System 2011-02-04 19:48:51 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 7 Fedora Update System 2011-03-17 18:48:31 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.