Description of problem: With the targeted policy enforcing, mgetty fails to invoke pppd. I've updated to selinux-policy-targeted-1.23.18-17 and forced a relabeling by creating /.autorelabel and rebooting, but the problem persists. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.18-17 How reproducible: Every time Steps to Reproduce: 1. Upgrade from FC3 to FC4, configure mgetty and pppd as a dial-in server 2. Update to selinux-policy-targeted-1.23.18-17 3. Attempt to dial-in to the system Actual results: If selinux is enforcing, mgetty fails to start pppd: Jun 30 14:03:56 oneringydingy mgetty[1964]: cannot execute '/usr/sbin/pppd': Permission denied Jun 30 14:03:56 oneringydingy kernel: audit(1120154636.031:2): avc: denied { search } for pid=1964 comm="mgetty" name=sbin dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir If selinux is permissive, pppd works, but these messages are logged: Jun 30 14:28:12 oneringydingy mgetty[2088]: data dev=ttyS46, pid=2088, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.715:4): avc: denied { search } for pid=2088 comm="mgetty" name=sbin dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:5): avc: denied { execute } for pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t tclass=file Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:6): avc: denied { execute_no_trans } for pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t tclass=file Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:7): avc: denied { read } for pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t tclass=file Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.421:8): avc: denied { search } for pid=2088 comm="pppd" name=ppp dev=hda1 ino=32851 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_t tclass=dir Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:9): avc: denied { read } for pid=2088 comm="pppd" name=options dev=hda1 ino=32412 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t tclass=file Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:10): avc: denied { getattr } for pid=2088 comm="pppd" name=options dev=hda1 ino=32412 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t tclass=file Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:11): avc: denied { setuid } for pid=2088 comm="pppd" capability=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:12): avc: denied { search } for pid=2088 comm="pppd" name=root dev=hda1 ino=63841 scontext=system_u:system_r:getty_t tcontext=root:object_r:user_home_dir_t tclass=dir Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.568:13): avc: denied { read write } for pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t tclass=chr_file Jun 30 14:28:13 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the University of California Jun 30 14:28:13 oneringydingy kernel: PPP generic driver version 2.4.2 Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.957:14): avc: denied { net_admin } for pid=2088 comm="pppd" capability=12 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:15): avc: denied { read } for pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:16): avc: denied { getattr } for pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.959:17): avc: denied { create } for pid=2088 comm="pppd" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=udp_socket Jun 30 14:28:13 oneringydingy pppd[2088]: pppd 2.4.2 started by a_ppp, uid 0 Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.321:18): avc: denied { ioctl } for pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t tclass=chr_file Jun 30 14:28:14 oneringydingy pppd[2088]: Using interface ppp0 Jun 30 14:28:14 oneringydingy pppd[2088]: Connect: ppp0 <--> /dev/ttyS46 Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:19): avc: denied { read } for pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t tclass=file Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:20): avc: denied { getattr } for pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t tclass=file Jun 30 14:28:15 oneringydingy kernel: audit(1120156095.689:21): avc: denied { ioctl } for pid=2088 comm="pppd" name=[7800] dev=sockfs ino=7800 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=udp_socket Jun 30 14:28:16 oneringydingy pppd[2088]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Jun 30 14:28:16 oneringydingy pppd[2088]: found interface eth0 for proxy arp Jun 30 14:28:16 oneringydingy pppd[2088]: local IP address 1.1.1.1 Jun 30 14:28:16 oneringydingy pppd[2088]: remote IP address 1.1.1.28 Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.230:22): avc: denied { getattr } for pid=2088 comm="pppd" name=ip-up dev=hda1 ino=32870 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:23): avc: denied { setgid } for pid=2631 comm="pppd" capability=6 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:24): avc: denied { execute } for pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:25): avc: denied { execute_no_trans } for pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:26): avc: denied { read } for pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:27): avc: denied { read } for pid=2088 comm="pppd" name=[7859] dev=pipefs ino=7859 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=fifo_file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:28): avc: denied { execute } for pid=2631 comm="pppd" name=bash dev=hda1 ino=63824 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:29): avc: denied { read } for pid=2631 comm="pppd" name=bash dev=hda1 ino=63824 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t tclass=file Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.440:30): avc: denied { read write } for pid=2631 comm="ip-up" name=tty dev=tmpfs ino=2191 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devtty_t tclass=chr_file Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:31): avc: denied { read } for pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:32): avc: denied { getattr } for pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.485:33): avc: denied { ioctl } for pid=2631 comm="ip-up" name=ip-up dev=hda1 ino=32870 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.545:34): avc: denied { read } for pid=2632 comm="ip-up" name=sh dev=hda1 ino=63765 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=lnk_file Jun 30 14:28:52 oneringydingy pppd[2088]: LCP terminated by peer (User request) Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.952:35): avc: denied { execute } for pid=2640 comm="ip-down" name=ifdown-post dev=hda1 ino=33139 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:etc_t tclass=file Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.955:36): avc: denied { execute_no_trans } for pid=2640 comm="ip-down" name=ifdown-post dev=hda1 ino=33139 scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t tclass=file Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.029:37): avc: denied { ioctl } for pid=2640 comm="ifdown-post" name=ifdown-post dev=hda1 ino=33139 scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t tclass=file Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.049:38): avc: denied { getattr } for pid=2643 comm="sed" name=[7873] dev=pipefs ino=7873 scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t tclass=fifo_file Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.129:39): avc: denied { write } for pid=2642 comm="basename" name=[7873] dev=pipefs ino=7873 scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t tclass=fifo_file Expected results: ppp connection should be successful. Additional info:
Fixed in selinux-policy-targeted-1.24-3
Thanks for the update, but something still isn't quite right. With selinux-policy-targeted-1.24-3, in enforcing mode, mgetty still fails to invoke ppp with these messages logged: Jul 7 06:41:28 oneringydingy mgetty[1954]: data dev=ttyS45, pid=1954, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Jul 7 06:41:28 oneringydingy mgetty[1954]: cannot execute '/usr/sbin/pppd': Permission denied Jul 7 06:41:28 oneringydingy kernel: audit(1120732888.984:3): avc: denied { search } for pid=1954 comm="mgetty" name=sbin dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir Jul 7 06:41:29 oneringydingy mgetty[2251]: TIOCMBIS failed: Input/output error Jul 7 06:41:29 oneringydingy mgetty[2251]: cannot turn off soft carrier: Input/output error Jul 7 06:41:29 oneringydingy mgetty[2251]: tcgetattr failed: Input/output error Jul 7 06:41:29 oneringydingy mgetty[2251]: cannot get TIO: Input/output error In permissive mode, it, of course, all works, but these audits are logged: Jul 7 06:45:52 oneringydingy mgetty[1950]: data dev=ttyS14, pid=1950, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Jul 7 06:45:52 oneringydingy kernel: audit(1120733152.895:4): avc: denied { search } for pid=1950 comm="mgetty" name=sbin dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir Jul 7 06:45:53 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the University of California Jul 7 06:45:53 oneringydingy kernel: PPP generic driver version 2.4.2 Jul 7 06:45:53 oneringydingy kernel: audit(1120733153.722:5): avc: denied { read write } for pid=1950 comm="pppd" name=utmp dev=hda1 ino=47809 scontext=system_u:system_r:pppd_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Jul 7 06:45:53 oneringydingy kernel: audit(1120733153.723:6): avc: denied { lock } for pid=1950 comm="pppd" name=utmp dev=hda1 ino=47809 scontext=system_u:system_r:pppd_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Jul 7 06:45:53 oneringydingy pppd[1950]: pppd 2.4.2 started by a_ppp, uid 0 Jul 7 06:45:53 oneringydingy kernel: audit(1120733153.723:7): avc: denied { dac_override } for pid=1950 comm="pppd" capability=1 scontext=system_u:system_r:pppd_t tcontext=system_u:system_r:pppd_t tclass=capability Jul 7 06:45:54 oneringydingy pppd[1950]: Using interface ppp0 Jul 7 06:45:54 oneringydingy pppd[1950]: Connect: ppp0 <--> /dev/ttyS14
Closer. Having updated to selinux-policy-targeted-1.25.2-4, ppp still fails to start with selinux in enforcing mode: Jul 19 13:08:03 oneringydingy mgetty[1918]: data dev=ttyS45, pid=1918, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Jul 19 13:08:03 oneringydingy mgetty[1918]: cannot execute '/usr/sbin/pppd': Permission denied Jul 19 13:08:03 oneringydingy kernel: audit(1121792883.460:2): avc: denied { search } for pid=1918 comm="mgetty" name="sbin" dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir In permissive mode: Jul 19 13:11:30 oneringydingy mgetty[1923]: data dev=ttyS44, pid=1923, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Jul 19 13:11:30 oneringydingy kernel: audit(1121793090.216:2): avc: denied { search } for pid=1923 comm="mgetty" name="sbin" dev=hda1 ino=159775 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir Jul 19 13:11:30 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the University of California
Still getting: Jul 29 11:30:12 oneringydingy mgetty[2026]: data dev=ttyS44, pid=2026, caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' with selinux-policy-targeted-1.25.3-6.
Oh wait... that wasn't the error message. Actually, selinux-policy-targeted-1.25.3-6 fixes the problem, and I've got it working now in enforcing mode. Thanks for the fix.