Bug 891630
Summary: | SELinux is preventing /usr/libexec/nm-l2tp-service from 'execute' accesses on the file /usr/sbin/xl2tpd. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Фукидид <fukidid> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:95a7d551b7e4538ef57d6c56653cd91d6501c36fdd23bcf8c8d5e2be72a63ab1 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-10-25 11:22:30 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Фукидид
2013-01-03 13:11:05 UTC
Created attachment 672077 [details]
File: type
Created attachment 672078 [details]
File: hashmarkername
Your missing the AVC report? SELinux is preventing /usr/libexec/nm-l2tp-service from execute access on the file /usr/sbin/xl2tpd. ***** Plugin leaks (86.2 confidence) suggests ****************************** If вы хотите игнорировать попытки доступа nm-l2tp-service (execute) к xl2tpd file, так как вы считаете, что в таком доступе нет необходимости. Then рекомендуется создать отчет об ошибке. Чтобы отменить аудит подобного доступа, можно создать локальный модуль политики. Do # grep /usr/libexec/nm-l2tp-service /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If вы считаете, что nm-l2tp-service следует разрешить доступ execute к xl2tpd file по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep nm-l2tp-service /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:l2tpd_exec_t:s0 Target Objects /usr/sbin/xl2tpd [ file ] Source nm-l2tp-service Source Path /usr/libexec/nm-l2tp-service Port <Неизвестно> Host localhost.localdomain Source RPM Packages NetworkManager-l2tp-0.9.6-3.fc17.x86_64 Target RPM Packages xl2tpd-1.3.1-9.fc17.x86_64 Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2013-01-04 22:39:10 FET Last Seen 2013-01-04 22:39:10 FET Local ID debb515e-5136-457c-a3a3-79b6fae8de1d Raw Audit Messages type=AVC msg=audit(1357328350.559:136): avc: denied { execute } for pid=8469 comm="nm-l2tp-service" name="xl2tpd" dev="dm-2" ino=58922 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:l2tpd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1357328350.559:136): arch=x86_64 syscall=execve success=no exit=EACCES a0=17ec420 a1=17ec4e0 a2=7fff2aff73b8 a3=8 items=0 ppid=8467 pid=8469 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-l2tp-service exe=/usr/libexec/nm-l2tp-service subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: nm-l2tp-service,NetworkManager_t,l2tpd_exec_t,file,execute audit2allow #============= NetworkManager_t ============== allow NetworkManager_t l2tpd_exec_t:file execute; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t l2tpd_exec_t:file execute; *** Bug 891627 has been marked as a duplicate of this bug. *** Added to F17. commit 348d631766fd95f638080de61bd3b9e331abda11 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 7 12:12:08 2013 +0100 Allow NM to transition to l2tpd *** Bug 901525 has been marked as a duplicate of this bug. *** Пытался подключится к интернету при помощи NetworkManager-l2tp. Package: (null) OS Release: Fedora release 18 (Spherical Cow) selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17 Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Проблема повторилась в Fedora 18. Установлен selinux-policy-3.11.1-82.fc18. |