Bug 162237 - selinux breaks pppd
Summary: selinux breaks pppd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-01 10:04 UTC by Fuji TSO
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.25.3-6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-01 12:08:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Fuji TSO 2005-07-01 10:04:16 UTC
Description of problem:
With the targeted policy enforcing, mgetty fails to invoke pppd.

I've updated to selinux-policy-targeted-1.23.18-17 and forced a relabeling by
creating /.autorelabel and rebooting, but the problem persists.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Every time

Steps to Reproduce:
1. Upgrade from FC3 to FC4, configure mgetty and pppd as a dial-in server
2. Update to selinux-policy-targeted-1.23.18-17
3. Attempt to dial-in to the system

Actual results:
If selinux is enforcing, mgetty fails to start pppd:

Jun 30 14:03:56 oneringydingy mgetty[1964]: cannot execute '/usr/sbin/pppd':
Permission denied
Jun 30 14:03:56 oneringydingy kernel: audit(1120154636.031:2): avc:  denied  {
search } for  pid=1964 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir

If selinux is permissive, pppd works, but these messages are logged:

Jun 30 14:28:12 oneringydingy mgetty[2088]: data dev=ttyS46, pid=2088,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.715:4): avc:  denied  {
search } for  pid=2088 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:5): avc:  denied  {
execute } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:6): avc:  denied  {
execute_no_trans } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:7): avc:  denied  {
read } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.421:8): avc:  denied  {
search } for  pid=2088 comm="pppd" name=ppp dev=hda1 ino=32851
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:9): avc:  denied  {
read } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:10): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:11): avc:  denied  {
setuid } for  pid=2088 comm="pppd" capability=7
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:12): avc:  denied  {
search } for  pid=2088 comm="pppd" name=root dev=hda1 ino=63841
scontext=system_u:system_r:getty_t tcontext=root:object_r:user_home_dir_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.568:13): avc:  denied  {
read write } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:13 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the
University of California
Jun 30 14:28:13 oneringydingy kernel: PPP generic driver version 2.4.2
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.957:14): avc:  denied  {
net_admin } for  pid=2088 comm="pppd" capability=12
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:15): avc:  denied  {
read } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:16): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.959:17): avc:  denied  {
create } for  pid=2088 comm="pppd" scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:getty_t tclass=udp_socket
Jun 30 14:28:13 oneringydingy pppd[2088]: pppd 2.4.2 started by a_ppp, uid 0
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.321:18): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:14 oneringydingy pppd[2088]: Using interface ppp0
Jun 30 14:28:14 oneringydingy pppd[2088]: Connect: ppp0 <--> /dev/ttyS46
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:19): avc:  denied  {
read } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:20): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:15 oneringydingy kernel: audit(1120156095.689:21): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=[7800] dev=sockfs ino=7800
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=udp_socket
Jun 30 14:28:16 oneringydingy pppd[2088]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received
Jun 30 14:28:16 oneringydingy pppd[2088]: found interface eth0 for proxy arp
Jun 30 14:28:16 oneringydingy pppd[2088]: local  IP address 1.1.1.1
Jun 30 14:28:16 oneringydingy pppd[2088]: remote IP address 1.1.1.28
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.230:22): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:23): avc:  denied  {
setgid } for  pid=2631 comm="pppd" capability=6
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:24): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:25): avc:  denied  {
execute_no_trans } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:26): avc:  denied  {
read } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:27): avc:  denied  {
read } for  pid=2088 comm="pppd" name=[7859] dev=pipefs ino=7859
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:28): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:29): avc:  denied  {
read } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.440:30): avc:  denied  {
read write } for  pid=2631 comm="ip-up" name=tty dev=tmpfs ino=2191
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devtty_t
tclass=chr_file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:31): avc:  denied  {
read } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:32): avc:  denied  {
getattr } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.485:33): avc:  denied  {
ioctl } for  pid=2631 comm="ip-up" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.545:34): avc:  denied  {
read } for  pid=2632 comm="ip-up" name=sh dev=hda1 ino=63765
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Jun 30 14:28:52 oneringydingy pppd[2088]: LCP terminated by peer (User request)
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.952:35): avc:  denied  {
execute } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.955:36): avc:  denied  {
execute_no_trans } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1
ino=33139 scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t
tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.029:37): avc:  denied  {
ioctl } for  pid=2640 comm="ifdown-post" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.049:38): avc:  denied  {
getattr } for  pid=2643 comm="sed" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.129:39): avc:  denied  {
write } for  pid=2642 comm="basename" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file

Expected results:
ppp connection should be successful.

Additional info:

Comment 1 Daniel Walsh 2005-07-03 15:26:47 UTC
Fixed in selinux-policy-targeted-1.24-3

Comment 2 Fuji TSO 2005-07-07 10:51:23 UTC
Thanks for the update, but something still isn't quite right.

With selinux-policy-targeted-1.24-3, in enforcing mode, mgetty still fails to
invoke ppp with these messages logged:
Jul  7 06:41:28 oneringydingy mgetty[1954]: data dev=ttyS45, pid=1954,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jul  7 06:41:28 oneringydingy mgetty[1954]: cannot execute '/usr/sbin/pppd':
Permission denied
Jul  7 06:41:28 oneringydingy kernel: audit(1120732888.984:3): avc:  denied  {
search } for  pid=1954 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jul  7 06:41:29 oneringydingy mgetty[2251]: TIOCMBIS failed: Input/output error
Jul  7 06:41:29 oneringydingy mgetty[2251]: cannot turn off soft carrier:
Input/output error
Jul  7 06:41:29 oneringydingy mgetty[2251]: tcgetattr failed: Input/output error
Jul  7 06:41:29 oneringydingy mgetty[2251]: cannot get TIO: Input/output error

In permissive mode, it, of course, all works, but these audits are logged:
Jul  7 06:45:52 oneringydingy mgetty[1950]: data dev=ttyS14, pid=1950,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jul  7 06:45:52 oneringydingy kernel: audit(1120733152.895:4): avc:  denied  {
search } for  pid=1950 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jul  7 06:45:53 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the
University of California
Jul  7 06:45:53 oneringydingy kernel: PPP generic driver version 2.4.2
Jul  7 06:45:53 oneringydingy kernel: audit(1120733153.722:5): avc:  denied  {
read write } for  pid=1950 comm="pppd" name=utmp dev=hda1 ino=47809
scontext=system_u:system_r:pppd_t tcontext=system_u:object_r:initrc_var_run_t
tclass=file
Jul  7 06:45:53 oneringydingy kernel: audit(1120733153.723:6): avc:  denied  {
lock } for  pid=1950 comm="pppd" name=utmp dev=hda1 ino=47809
scontext=system_u:system_r:pppd_t tcontext=system_u:object_r:initrc_var_run_t
tclass=file
Jul  7 06:45:53 oneringydingy pppd[1950]: pppd 2.4.2 started by a_ppp, uid 0
Jul  7 06:45:53 oneringydingy kernel: audit(1120733153.723:7): avc:  denied  {
dac_override } for  pid=1950 comm="pppd" capability=1
scontext=system_u:system_r:pppd_t tcontext=system_u:system_r:pppd_t
tclass=capability
Jul  7 06:45:54 oneringydingy pppd[1950]: Using interface ppp0
Jul  7 06:45:54 oneringydingy pppd[1950]: Connect: ppp0 <--> /dev/ttyS14

Comment 3 Fuji TSO 2005-07-19 17:16:47 UTC
Closer. Having updated to selinux-policy-targeted-1.25.2-4, ppp still fails to
start with selinux in enforcing mode:

Jul 19 13:08:03 oneringydingy mgetty[1918]: data dev=ttyS45, pid=1918,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jul 19 13:08:03 oneringydingy mgetty[1918]: cannot execute '/usr/sbin/pppd':
Permission denied
Jul 19 13:08:03 oneringydingy kernel: audit(1121792883.460:2): avc:  denied  {
search } for  pid=1918 comm="mgetty" name="sbin" dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir

In permissive mode:

Jul 19 13:11:30 oneringydingy mgetty[1923]: data dev=ttyS44, pid=1923,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jul 19 13:11:30 oneringydingy kernel: audit(1121793090.216:2): avc:  denied  {
search } for  pid=1923 comm="mgetty" name="sbin" dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jul 19 13:11:30 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the
University of California


Comment 4 Fuji TSO 2005-07-29 15:43:42 UTC
Still getting:

Jul 29 11:30:12 oneringydingy mgetty[2026]: data dev=ttyS44, pid=2026,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'

with selinux-policy-targeted-1.25.3-6.


Comment 5 Fuji TSO 2005-07-29 15:57:13 UTC
Oh wait... that wasn't the error message.

Actually, selinux-policy-targeted-1.25.3-6 fixes the problem, and I've got it
working now in enforcing mode.

Thanks for the fix.



Note You need to log in before you can comment on or make changes to this bug.