First Last Prev Next    This bug is not in your last search results.
Bug 119911 - IPX_UTILS, NCPFS not working with selinux enabled
IPX_UTILS, NCPFS not working with selinux enabled
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
David Lawrence
: SELinux
Depends On:
Blocks: 122683
  Show dependency treegraph
 
Reported: 2004-04-02 21:11 EST by Matthew Almond
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-05 08:41:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Matthew Almond 2004-04-02 21:11:10 EST 
Description of problem:
When selinux is enabled, I cannot use ipx_interface to set up ipx,
thus ncpmount does not work. I have tried all avaliable contexts.  If
I disable selinux, set up the ipx interface, mount a share, then
re-enable selinux, ncp looses the connection and hogs the cpu.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. ipx_interface add -p eth? [frame type]
2. or setenforce 0, ipx_interface..., ncpmount..., setenforce 1
  
Actual results:
ipx_interface: socket: Permission denied

Expected results:
ability to use ncpfs, ipx

Additional info:
I have tried to figure out selinux policies... but have failed else I
would have tried to fix it...
Comment 1 Phil Moors 2004-04-05 12:11:14 EDT 
I tried poking around here as well. ncpfs isn't defined anywhere under
types.
Comment 2 Bill Nottingham 2004-04-06 00:56:31 EDT 
Can you post the SELinux avc messages?
Comment 3 Phil Moors 2004-04-06 12:11:43 EDT 
I can reproduce this in policy-1.9.2-12. What's weird is that there
are absolutely no AVC messages generated in /var/log/messages when
this is denied. Yet setenforce 0 allows the interface to be plumbed.

Phil
Comment 4 Daniel Walsh 2004-04-06 12:14:47 EDT 
Are there any messages when setenforce 0 is specified?
Or any messages for that matter.


Dan
Comment 5 Phil Moors 2004-04-06 12:27:40 EDT 
Ooh. Yes there is:

Apr  6 12:28:56 pm2 kernel: audit(1081268936.471:0): avc:  denied  {
ioctl } for  pid=2663 exe=/sbin/ipx_interface path=socket:[5590] dev=
ino=5590 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:sysadm_t tclass=socket

Also, from /etc/security/selinux/src/policy:
    grep -R ncpfs *
    grep -R ncpumount *
    grep -R ncpmount *
all return nothing.

Phil
Comment 6 Daniel Walsh 2004-12-01 09:07:10 EST 
I just realized that I lost this bugzilla.  I am looking to fix this
for FC3/RHEL4 but do not have access to and ipx machine.  I have
modified the policy to allow ipx_interface and freinds to work but I
need to add the ncpfs stuff.

Dan
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.