Bug 699240

Summary: SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock
Product: [Fedora] Fedora Reporter: Bonzo1834 <bz1834>
Component: 0xFFFFAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, dwmw2, mgrepl, santiago.lunar.m
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-28 14:43:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SETroubleshoot Details Window output
none
SE alert with new policy none

Description Bonzo1834 2011-04-24 14:29:33 UTC 
Created attachment 494530 [details]
SETroubleshoot Details Window output

Description of problem:
SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock

mobile broadband connection needs pppd to have read access to this directory.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. https://bugzilla.redhat.com/show_bug.cgi?id=698975#c3
2.
3.
  
Actual results:


Expected results:


Additional info: attaching SETroubleshoot Details Window output as reporting from SELinux Alert browser does not work (bug report option is greyed out).
Comment 1 Daniel Walsh 2011-04-25 13:26:46 UTC 
restorecon -v /var/lock
Comment 2 Bonzo1834 2011-04-25 15:34:07 UTC 
didn't help, so I proceeded to the next suggestion:

grep pppd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

this worked
Comment 3 Daniel Walsh 2011-04-25 15:37:45 UTC 
ls -ldZ /var/lock
Comment 4 Santiago Lunar 2011-04-26 13:12:25 UTC 
Tried with:

grep pppd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

And also worked like a charm :)
Comment 5 Bonzo1834 2011-04-26 16:32:50 UTC 
$ ls -ldZ /var/lock
lrwxrwxrwx. root root system_u:object_r:var_t:s0       /var/lock -> ../run/lock
Comment 6 Daniel Walsh 2011-04-26 16:50:49 UTC 
matchpathcon /var/lock
Comment 7 Bonzo1834 2011-04-27 06:59:46 UTC 
$ matchpathcon /var/lock
/var/lock	system_u:object_r:var_lock_t:s0
Comment 8 Miroslav Grepl 2011-04-27 09:18:07 UTC 
Could you try it with the latest policy

http://koji.fedoraproject.org/koji/buildinfo?buildID=240947
Comment 9 Bonzo1834 2011-04-27 13:10:12 UTC 
Created attachment 495227 [details]
SE alert with new policy
Comment 10 Bonzo1834 2011-04-27 13:10:51 UTC 
OK, did the following:

$ semodule -d mypol
to disable the self-built module

Then installed 
selinux-policy-3.9.16-18.fc15.noarch.rpm
selinux-policy-doc-3.9.16-18.fc15.noarch.rpm
selinux-policy-minimum-3.9.16-18.fc15.noarch.rpm
selinux-policy-mls-3.9.16-18.fc15.noarch.rpm
selinux-policy-targeted-3.9.16-18.fc15.noarch.rpm
from koji

tried to connect with mobile broadband => no joy:

/var/log/messages:
Apr 27 14:56:38 a1 pppd[2182]: Can't create lock file /var/lock/LCK..ttyUSB0: Permission denied
Apr 27 14:56:42 a1 setroubleshoot: SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock. For complete SELinux me
ssages. run sealert -l e1731787-f04d-4b19-ba1c-160c11e8b91b

I attached the sealert (sealert_new.txt) in comment 9, it shows that selinux-policy-3.9.16-18.fc15 is now used.

Also tried a reboot, but that didn't help either.
Comment 11 Miroslav Grepl 2011-04-27 13:18:51 UTC 
Ok, try to run

# restorecon -Rv /var
Comment 12 Bonzo1834 2011-04-28 14:39:06 UTC 
Yes! restorecon did the trick, it's working now

Thank you!