Bug 712136
| Summary: | SELinux is preventing /usr/sbin/pppd from 'read' accesses on the lnk_file /var/lock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Old Uncle <old.uncle.z> |
| Component: | 0xFFFF | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, dwmw2, ejacobs, jlbouras, lech.lobocki, mgrepl, nihar_smily17 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:6df636d5961464d43741663523eca5cd785448bde375dd676a6b0505eb47e778 | ||
| Fixed In Version: | selinux-policy-3.9.16-30.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-24 03:54:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
The fix is to run as root: restorecon -R -v /var This only seems to partially work. 1) I plugged in my modem 2) I connected 3) I got the SELinux error 4) I ran restorecon on var 5) The folder still showed the wrong context, but my modem crashed. 6) I unplugged/replugged my modem 7) Now the file has the right context. The fact that the correct context is not set when the system first boots is an issue to me. The context should be right for now on. And we are pushing through a fix to policy to make sure it is correct on all boxes. Fixed in selinux-policy-3.9.16-29.fc15.noarch selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15 Package selinux-policy-3.9.16-29.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15 then log in and leave karma (feedback). *** Bug 712361 has been marked as a duplicate of this bug. *** Package selinux-policy-3.9.16-30.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. Does not appear to fix it. After installing this policy, rebooting, and attempting to connect, I still got SELinux errors. I've attached the output of ausearch (ausearch.log) and the policy generated by audit2allow (audit2allow.output). [root@t510dora ~]# yum list installed '*selinux*' Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages libselinux.i686 2.0.99-4.fc15 @anaconda-InstallationRepo-201105131946.i686 libselinux-python.i686 2.0.99-4.fc15 @anaconda-InstallationRepo-201105131946.i686 libselinux-utils.i686 2.0.99-4.fc15 @anaconda-InstallationRepo-201105131946.i686 selinux-policy.noarch 3.9.16-30.fc15 @updates selinux-policy-targeted.noarch 3.9.16-30.fc15 @updates Created attachment 509782 [details]
Output of ausearch piped into audit2allow
Created attachment 509784 [details]
The output of an ausearch done after the failed pppd connection.
These errors appear when I am trying to initiate the wireless connection with a Verizon USB modem, by the way. restorecon -R -v /run/lock Created attachment 510553 [details]
Log output of audit/messages before/after restorecon while connecting Verizon modem.
Does not work. Booting up the system and trying to attach the modem produces SELinux errors. "restorecon -R -v /run/lock" produces no output. Then trying to attach the modem produces SELinux errors again. Log of before/after restorecon is attached.
*** This bug has been marked as a duplicate of bug 717161 *** |
SELinux is preventing /usr/sbin/pppd from 'read' accesses on the lnk_file /var/lock. ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /var/lock default label should be var_lock_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/lock ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow pppd to have read access on the lock lnk_file Then you need to change the label on /var/lock Do # semanage fcontext -a -t FILE_TYPE '/var/lock' where FILE_TYPE is one of the following: pppd_etc_t, var_run_t, userdomain, device_t, ld_so_t, proc_t, proc_net_t, mta_exec_type, textrel_shlib_t, rpm_script_tmp_t, home_root_t, udev_var_run_t, var_run_t, var_lock_t, bin_t, cert_t, pppd_t, user_home_dir_t, device_t, devlog_t, locale_t, etc_t, proc_t, sysfs_t, postfix_etc_t, abrt_t, lib_t, root_t, var_run_t, var_run_t, var_run_t, cert_t. Then execute: restorecon -v '/var/lock' ***** Plugin catchall (1.44 confidence) suggests *************************** If you believe that pppd should be allowed read access on the lock lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pppd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pppd_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects /var/lock [ lnk_file ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host (removed) Source RPM Packages ppp-2.4.5-16.fc15 Target RPM Packages filesystem-2.4.41-1.fc15 Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.7-30.fc15.i686.PAE #1 SMP Fri May 27 05:44:56 UTC 2011 i686 i686 Alert Count 2 First Seen Thu 09 Jun 2011 05:48:17 PM GET Last Seen Thu 09 Jun 2011 05:48:33 PM GET Local ID 53922d4a-56b5-40e8-bf0f-6ea94b12c0f0 Raw Audit Messages type=AVC msg=audit(1307627313.601:102): avc: denied { read } for pid=3994 comm="pppd" name="lock" dev=dm-1 ino=263467 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1307627313.601:102): arch=i386 syscall=open success=no exit=EACCES a0=f627a0 a1=800c2 a2=1a4 a3=f627a0 items=0 ppid=874 pid=3994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pppd exe=/usr/sbin/pppd subj=system_u:system_r:pppd_t:s0 key=(null) Hash: pppd,pppd_t,var_t,lnk_file,read audit2allow #============= pppd_t ============== allow pppd_t var_t:lnk_file read; audit2allow -R #============= pppd_t ============== allow pppd_t var_t:lnk_file read;