Bug 710850

Description of problem:
it is not possible to start mobile internet connection from NetworkManager

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.9.16-26.fc15.noarch
ppp-2.4.5-16.fc15.i686
NetworkManager-0.8.9997-1.git20110531.fc15.i686


How reproducible:
100%

Steps to Reproduce:
1.Setup mobile broadband connection by internal gobi-2000 modem.
2.Check if it work by wvdial - all work OK. 
3.Start connection by nm-applet from KDE.
3.receive selinux alert and fail to establish internet connection.
  
Actual results:
WWAN connection do not work

Expected results:
WWAN connection work.


Additional info:
1. Proposed solution `restorecon -v /var/lock` do not help.
2. Changing SELINUX 'enforcing' to 'permissive' help.


SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If you want to fix the label. 
/var/lock default label should be var_lock_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lock

*****  Plugin catchall_labels (5.21 confidence) suggests  ********************

If you want to allow pppd to have read access on the lock lnk_file
Then you need to change the label on /var/lock
Do
# semanage fcontext -a -t FILE_TYPE '/var/lock'
where FILE_TYPE is one of the following: pppd_etc_t, var_run_t, userdomain, device_t, ld_so_t, proc_t, proc_net_t, mta_exec_type, textrel_shlib_t, rpm_script_tmp_t, home_root_t, udev_var_run_t, var_run_t, var_lock_t, bin_t, cert_t, pppd_t, user_home_dir_t, device_t, devlog_t, locale_t, etc_t, proc_t, sysfs_t, postfix_etc_t, abrt_t, lib_t, root_t, var_run_t, var_run_t, var_run_t, cert_t. 
Then execute: 
restorecon -v '/var/lock'


*****  Plugin catchall (1.44 confidence) suggests  ***************************

If you believe that pppd should be allowed read access on the lock lnk_file by default. Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pppd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Исходный контекст             system_u:system_r:pppd_t:s0
Целевой контекст              system_u:object_r:var_t:s0
Целевые объекты               /var/lock [ lnk_file ]
Источник                      pppd
Путь к источнику              /usr/sbin/pppd
Порт                          <Неизвестно>
Узел                          ua-dudn000
Исходные пакеты RPM           ppp-2.4.5-16.fc15
Целевые пакеты RPM            filesystem-2.4.41-1.fc15
RPM политики                  selinux-policy-3.9.16-26.fc15
SELinux активен               True
Тип политики                  targeted
Принудительный режим          Permissive
Имя узла                      ua-dudn000
Платформа                     Linux ua-dudn000 2.6.38.6-27.fc15.i686.PAE #1 SMP
                              Sun May 15 17:39:47 UTC 2011 i686 i686
Счётчик уведомлений           2
Первый замеченный             Вск 05 Июн 2011 03:49:31
Последний замеченный          Вск 05 Июн 2011 09:38:51
Локальный ID                  6b0f2016-d38a-4857-abb5-4096dd0997d5

Необработанные сообщения аудита
type=AVC msg=audit(1307234971.469:63): avc:  denied  { read } for  pid=2594 comm="pppd" name="lock" dev=sda5 ino=3147445 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1307234971.469:63): arch=i386 syscall=open success=yes exit=EAGAIN a0=aa67a0 a1=800c2 a2=1a4 a3=aa67a0 items=0 ppid=847 pid=2594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pppd exe=/usr/sbin/pppd subj=system_u:system_r:pppd_t:s0 key=(null)

Hash: pppd,pppd_t,var_t,lnk_file,read

audit2allow

#============= pppd_t ==============
allow pppd_t var_t:lnk_file read;

audit2allow -R

#============= pppd_t ==============
allow pppd_t var_t:lnk_file read;