| Summary: | SELinux is preventing /usr/sbin/pppd from 'open' accesses on the file vpnlog. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ManFree <roman_romul> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, jskala, mgrepl, roman_romul |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:cedb81fdeb83def210dabf474dbdbf9a4cbf368f0125607474a6ae5a5e3f241a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-11 07:53:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
What is vpnlog? And why is pppd opening it? Pppd has the right to write its log, there is an option for pppd - logfile. In the logfile option the user writes any log, for example, /var/log/vpnlog. The problem comes when using a VPN L2TP when using xl2tpd. In this case, SELinux does not allow pppd to use your log, but pppd is used for VPN L2TP, demon xl2tpd calls pppd daemon, and SElinux blocks /usr/sbin/pppd. If you want to use your own log file, you need to add the correct label for this log file # chcon -t pppd_log_t /var/log/vpnlog or you can locate your log to /var/log/ppp directory. ManFree from reading the policy if pppd tried to create this file SELinux would have labeled it as pppd_log_t, but if you later relabeled the directory or if the file was created outside pppd it would be labeled var_log_t. It is easiest to manage if you just created the log file in the /var/log/ppp since it will get created with the correct label. If this is a standard path in the pppd config file we should set up a label for it in policy. pppd also writes to /var/log/syslog, so SELinuh must not react to the whole directory /var/log/ for pppd. Well not sure what /var/log/syslog is? It does not exist on my machine. If I use /var/log/ppp/vpnlog, then the situation has not changed, the bug stays, SELiux continues to falsely blocked. In the picture shows with some options works pppd on the example of Mandriva: http://imglink.ru/show-image.php?id=9ef816dd7453a1482a3bb41f42176348 ManFree if you run restorecon -R -v /var/log/ppp does it change the labels? [alex@localhost ~]$ su Password: [root@localhost alex]# restorecon -R -v /var/log/ppp/ restorecon reset /var/log/ppp/vpnlog context unconfined_u:object_r:var_log_t:s0->system_u:object_r:pppd_log_t:s0 [root@localhost alex]# This command has helped. Now it will work. This is bug, because SeLinux does't work with openl2tp too: https://bugzilla.redhat.com/show_bug.cgi?id=718465 https://bugzilla.redhat.com/show_bug.cgi?id=718466 https://bugzilla.redhat.com/show_bug.cgi?id=718467 Too many users has problems. That is why you must correct directly in the code of SeLunux. Closing this bug because a new bug is opened. |
logfile filename Append log messages to the file filename (as well as sending the log messages to syslog). The file is opened with the privileges of the user who invoked pppd, in append mode. SELinux is preventing /usr/sbin/pppd from 'open' accesses on the file vpnlog. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pppd should be allowed open access on the vpnlog file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pppd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pppd_t:s0 Target Context unconfined_u:object_r:var_log_t:s0 Target Objects vpnlog [ file ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host (removed) Source RPM Packages ppp-2.4.5-16.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-23.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 2.6.38.6-26.rc1.fc15.i686 #1 SMP Mon May 9 20:43:14 UTC 2011 i686 i686 Alert Count 10 First Seen Wed 01 Jun 2011 05:22:55 PM MSD Last Seen Wed 01 Jun 2011 05:31:01 PM MSD Local ID 98464d0b-b897-4009-87de-6fb5b2e82c36 Raw Audit Messages type=AVC msg=audit(1306935061.492:219): avc: denied { open } for pid=2963 comm="pppd" name="vpnlog" dev=dm-1 ino=36650 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1306935061.492:219): arch=i386 syscall=open success=no exit=EACCES a0=bfec6114 a1=80401 a2=1a4 a3=ffffffff items=0 ppid=1868 pid=2963 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm=pppd exe=/usr/sbin/pppd subj=system_u:system_r:pppd_t:s0 key=(null) Hash: pppd,pppd_t,var_log_t,file,open audit2allow #============= pppd_t ============== allow pppd_t var_log_t:file open; audit2allow -R #============= pppd_t ============== allow pppd_t var_log_t:file open;