Bug 119911 - IPX_UTILS, NCPFS not working with selinux enabled
IPX_UTILS, NCPFS not working with selinux enabled
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
David Lawrence
: SELinux
Depends On:
Blocks: 122683
  Show dependency treegraph
 
Reported: 2004-04-02 21:11 EST by Matthew Almond
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-05 08:41:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Matthew Almond 2004-04-02 21:11:10 EST
Description of problem:
When selinux is enabled, I cannot use ipx_interface to set up ipx,
thus ncpmount does not work. I have tried all avaliable contexts.  If
I disable selinux, set up the ipx interface, mount a share, then
re-enable selinux, ncp looses the connection and hogs the cpu.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. ipx_interface add -p eth? [frame type]
2. or setenforce 0, ipx_interface..., ncpmount..., setenforce 1
  
Actual results:
ipx_interface: socket: Permission denied

Expected results:
ability to use ncpfs, ipx

Additional info:
I have tried to figure out selinux policies... but have failed else I
would have tried to fix it...
Comment 1 Phil Moors 2004-04-05 12:11:14 EDT
I tried poking around here as well. ncpfs isn't defined anywhere under
types.
Comment 2 Bill Nottingham 2004-04-06 00:56:31 EDT
Can you post the SELinux avc messages?
Comment 3 Phil Moors 2004-04-06 12:11:43 EDT
I can reproduce this in policy-1.9.2-12. What's weird is that there
are absolutely no AVC messages generated in /var/log/messages when
this is denied. Yet setenforce 0 allows the interface to be plumbed.

Phil
Comment 4 Daniel Walsh 2004-04-06 12:14:47 EDT
Are there any messages when setenforce 0 is specified?
Or any messages for that matter.


Dan
Comment 5 Phil Moors 2004-04-06 12:27:40 EDT
Ooh. Yes there is:

Apr  6 12:28:56 pm2 kernel: audit(1081268936.471:0): avc:  denied  {
ioctl } for  pid=2663 exe=/sbin/ipx_interface path=socket:[5590] dev=
ino=5590 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:sysadm_t tclass=socket

Also, from /etc/security/selinux/src/policy:
    grep -R ncpfs *
    grep -R ncpumount *
    grep -R ncpmount *
all return nothing.

Phil
Comment 6 Daniel Walsh 2004-12-01 09:07:10 EST
I just realized that I lost this bugzilla.  I am looking to fix this
for FC3/RHEL4 but do not have access to and ipx machine.  I have
modified the policy to allow ipx_interface and freinds to work but I
need to add the ncpfs stuff.

Dan

Note You need to log in before you can comment on or make changes to this bug.