Bug 715489

Summary: selinx and pppd errros
Product: [Fedora] Fedora Reporter: Ankur Sinha (FranciscoD) <sanjay.ankur>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: bz1834, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-27 05:38:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
policy generated for "read"
none
policy generated for "unlink"
none
policy generated for "open" none

Description Ankur Sinha (FranciscoD) 2011-06-23 03:39:47 UTC
Description of problem:
I get selinux avc denials while trying to connect to the internet using my USB mobile broadband connection. I noticed more bugs related to ppd, probably filed from my system using sealert, but I wasn't sure where to upload what files.

Version-Release number of selected component (if applicable):
[root@ankur ~]# rpm -q selinux-policy
selinux-policy-3.9.16-26.fc15.noarch


How reproducible:
If you try to use this USB broadband device with a pristine selinux-policy, you get multiple avc denials sequentially (first read, unlink, open)

Steps to Reproduce:
1. Make sure you have a unaltered selinux-policy
2. insert the usb device
3. try to connect to the internet using network manager
  
Actual results:
AVC denials which need you to generate policies to get it to work

Expected results:
Should work out of the box :)


Additional info:
I had restored /var/lock using restorecon (using the generated policies give me other errors which I'll file bugs against when I see them again), and reinserted the usb device to connect to the internet.

I'm attaching 3 generated policies that were required.

Comment 1 Ankur Sinha (FranciscoD) 2011-06-23 03:40:27 UTC
Created attachment 506110 [details]
policy generated for "read"

Comment 2 Ankur Sinha (FranciscoD) 2011-06-23 03:40:55 UTC
Created attachment 506111 [details]
policy generated for "unlink"

Comment 3 Ankur Sinha (FranciscoD) 2011-06-23 03:41:20 UTC
Created attachment 506112 [details]
policy generated for "open"

Comment 4 Ankur Sinha (FranciscoD) 2011-06-23 03:42:13 UTC
These were the policies generated this time. I hope they have enough info for you to solve the issue. Please let me know if you need any other info. I will be more than happy to provide it. 

Thank you :)
Ankur

Comment 5 Daniel Walsh 2011-06-23 13:23:57 UTC
I would rather have the raw AVC's that you used to generate the policy or the te files that were generated.

Comment 6 Ankur Sinha (FranciscoD) 2011-06-23 14:08:56 UTC
Oh! I'll generate them again and add them tonight then. 

Thanks,
Ankur

Comment 7 Bonzo1834 2011-06-24 13:13:24 UTC
the following broke my mobile broadband today:

selinux-policy-doc-3.9.16-30.fc15.noarch
selinux-policy-minimum-3.9.16-30.fc15.noarch
selinux-policy-mls-3.9.16-30.fc15.noarch
selinux-policy-targeted-3.9.16-30.fc15.noarch

SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock
SELinux is preventing /usr/sbin/pppd from search access on the directory lock

The first error had been solved before:
https://bugzilla.redhat.com/show_bug.cgi?id=699240

Comment 8 Ankur Sinha (FranciscoD) 2011-06-25 17:58:20 UTC
Hello,

I'm having some trouble with sealert. I've filed a bug. I'll provide the necessary info once it's fixed. 

https://bugzilla.redhat.com/show_bug.cgi?id=716626

Thanks,
Ankur

Comment 9 Miroslav Grepl 2011-06-27 05:38:13 UTC
the original issue should be fixed. I am closing the bug.