Bug 119911 - IPX_UTILS, NCPFS not working with selinux enabled
Summary: IPX_UTILS, NCPFS not working with selinux enabled
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks: 122683
TreeView+ depends on / blocked
 
Reported: 2004-04-03 02:11 UTC by Matthew Almond
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-05 13:41:41 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Matthew Almond 2004-04-03 02:11:10 UTC
Description of problem:
When selinux is enabled, I cannot use ipx_interface to set up ipx,
thus ncpmount does not work. I have tried all avaliable contexts.  If
I disable selinux, set up the ipx interface, mount a share, then
re-enable selinux, ncp looses the connection and hogs the cpu.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. ipx_interface add -p eth? [frame type]
2. or setenforce 0, ipx_interface..., ncpmount..., setenforce 1
  
Actual results:
ipx_interface: socket: Permission denied

Expected results:
ability to use ncpfs, ipx

Additional info:
I have tried to figure out selinux policies... but have failed else I
would have tried to fix it...

Comment 1 Phil Moors 2004-04-05 16:11:14 UTC
I tried poking around here as well. ncpfs isn't defined anywhere under
types.

Comment 2 Bill Nottingham 2004-04-06 04:56:31 UTC
Can you post the SELinux avc messages?

Comment 3 Phil Moors 2004-04-06 16:11:43 UTC
I can reproduce this in policy-1.9.2-12. What's weird is that there
are absolutely no AVC messages generated in /var/log/messages when
this is denied. Yet setenforce 0 allows the interface to be plumbed.

Phil

Comment 4 Daniel Walsh 2004-04-06 16:14:47 UTC
Are there any messages when setenforce 0 is specified?
Or any messages for that matter.


Dan

Comment 5 Phil Moors 2004-04-06 16:27:40 UTC
Ooh. Yes there is:

Apr  6 12:28:56 pm2 kernel: audit(1081268936.471:0): avc:  denied  {
ioctl } for  pid=2663 exe=/sbin/ipx_interface path=socket:[5590] dev=
ino=5590 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:sysadm_t tclass=socket

Also, from /etc/security/selinux/src/policy:
    grep -R ncpfs *
    grep -R ncpumount *
    grep -R ncpmount *
all return nothing.

Phil

Comment 6 Daniel Walsh 2004-12-01 14:07:10 UTC
I just realized that I lost this bugzilla.  I am looking to fix this
for FC3/RHEL4 but do not have access to and ipx machine.  I have
modified the policy to allow ipx_interface and freinds to work but I
need to add the ncpfs stuff.

Dan


Note You need to log in before you can comment on or make changes to this bug.