Description of problem: When selinux is enabled, I cannot use ipx_interface to set up ipx, thus ncpmount does not work. I have tried all avaliable contexts. If I disable selinux, set up the ipx interface, mount a share, then re-enable selinux, ncp looses the connection and hogs the cpu. Version-Release number of selected component (if applicable): How reproducible: every time Steps to Reproduce: 1. ipx_interface add -p eth? [frame type] 2. or setenforce 0, ipx_interface..., ncpmount..., setenforce 1 Actual results: ipx_interface: socket: Permission denied Expected results: ability to use ncpfs, ipx Additional info: I have tried to figure out selinux policies... but have failed else I would have tried to fix it...
I tried poking around here as well. ncpfs isn't defined anywhere under types.
Can you post the SELinux avc messages?
I can reproduce this in policy-1.9.2-12. What's weird is that there are absolutely no AVC messages generated in /var/log/messages when this is denied. Yet setenforce 0 allows the interface to be plumbed. Phil
Are there any messages when setenforce 0 is specified? Or any messages for that matter. Dan
Ooh. Yes there is: Apr 6 12:28:56 pm2 kernel: audit(1081268936.471:0): avc: denied { ioctl } for pid=2663 exe=/sbin/ipx_interface path=socket:[5590] dev= ino=5590 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=socket Also, from /etc/security/selinux/src/policy: grep -R ncpfs * grep -R ncpumount * grep -R ncpmount * all return nothing. Phil
I just realized that I lost this bugzilla. I am looking to fix this for FC3/RHEL4 but do not have access to and ipx machine. I have modified the policy to allow ipx_interface and freinds to work but I need to add the ncpfs stuff. Dan