162252 – selinux breaks pppd

Bug 162252 - selinux breaks pppd

Summary: selinux breaks pppd

Keywords:
Status:	CLOSED DUPLICATE of bug 162200
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-01 16:39 UTC by Fuji TSO
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-19 06:46:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fuji TSO 2005-07-01 16:39:41 UTC

Description of problem:
With the targeted policy enforcing, mgetty fails to invoke pppd.

I've updated to selinux-policy-targeted-1.23.18-17 and forced a relabeling by
creating /.autorelabel and rebooting, but the problem persists.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-17

How reproducible:
Every time

Steps to Reproduce:
1. Upgrade from FC3 to FC4, configure mgetty and pppd as a dial-in server
2. Update to selinux-policy-targeted-1.23.18-17
3. Attempt to dial-in to the system

Actual results:
If selinux is enforcing, mgetty fails to start pppd:

Jun 30 14:03:56 oneringydingy mgetty[1964]: cannot execute '/usr/sbin/pppd':
Permission denied
Jun 30 14:03:56 oneringydingy kernel: audit(1120154636.031:2): avc:  denied  {
search } for  pid=1964 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir

If selinux is permissive, pppd works, but these messages are logged:

Jun 30 14:28:12 oneringydingy mgetty[2088]: data dev=ttyS46, pid=2088,
caller='none', conn='31200/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.715:4): avc:  denied  {
search } for  pid=2088 comm="mgetty" name=sbin dev=hda1 ino=159775
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sbin_t tclass=dir
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:5): avc:  denied  {
execute } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:6): avc:  denied  {
execute_no_trans } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:12 oneringydingy kernel: audit(1120156092.743:7): avc:  denied  {
read } for  pid=2088 comm="mgetty" name=pppd dev=hda1 ino=159968
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_exec_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.421:8): avc:  denied  {
search } for  pid=2088 comm="pppd" name=ppp dev=hda1 ino=32851
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:9): avc:  denied  {
read } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.515:10): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=options dev=hda1 ino=32412
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_etc_rw_t
tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:11): avc:  denied  {
setuid } for  pid=2088 comm="pppd" capability=7
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.567:12): avc:  denied  {
search } for  pid=2088 comm="pppd" name=root dev=hda1 ino=63841
scontext=system_u:system_r:getty_t tcontext=root:object_r:user_home_dir_t tclass=dir
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.568:13): avc:  denied  {
read write } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:13 oneringydingy kernel: CSLIP: code copyright 1989 Regents of the
University of California
Jun 30 14:28:13 oneringydingy kernel: PPP generic driver version 2.4.2
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.957:14): avc:  denied  {
net_admin } for  pid=2088 comm="pppd" capability=12
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:15): avc:  denied  {
read } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.958:16): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=resolv.conf dev=hda1 ino=31915
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t tclass=file
Jun 30 14:28:13 oneringydingy kernel: audit(1120156093.959:17): avc:  denied  {
create } for  pid=2088 comm="pppd" scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:getty_t tclass=udp_socket
Jun 30 14:28:13 oneringydingy pppd[2088]: pppd 2.4.2 started by a_ppp, uid 0
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.321:18): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=ppp dev=tmpfs ino=2190
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ppp_device_t
tclass=chr_file
Jun 30 14:28:14 oneringydingy pppd[2088]: Using interface ppp0
Jun 30 14:28:14 oneringydingy pppd[2088]: Connect: ppp0 <--> /dev/ttyS46
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:19): avc:  denied  {
read } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:14 oneringydingy kernel: audit(1120156094.348:20): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=chap-secrets dev=hda1 ino=32626
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:pppd_secret_t
tclass=file
Jun 30 14:28:15 oneringydingy kernel: audit(1120156095.689:21): avc:  denied  {
ioctl } for  pid=2088 comm="pppd" name=[7800] dev=sockfs ino=7800
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=udp_socket
Jun 30 14:28:16 oneringydingy pppd[2088]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received
Jun 30 14:28:16 oneringydingy pppd[2088]: found interface eth0 for proxy arp
Jun 30 14:28:16 oneringydingy pppd[2088]: local  IP address 1.1.1.1
Jun 30 14:28:16 oneringydingy pppd[2088]: remote IP address 1.1.1.28
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.230:22): avc:  denied  {
getattr } for  pid=2088 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:23): avc:  denied  {
setgid } for  pid=2631 comm="pppd" capability=6
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=capability
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.231:24): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:25): avc:  denied  {
execute_no_trans } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:26): avc:  denied  {
read } for  pid=2631 comm="pppd" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.232:27): avc:  denied  {
read } for  pid=2088 comm="pppd" name=[7859] dev=pipefs ino=7859
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:28): avc:  denied  {
execute } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.437:29): avc:  denied  {
read } for  pid=2631 comm="pppd" name=bash dev=hda1 ino=63824
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:shell_exec_t
tclass=file
Jun 30 14:28:16 oneringydingy kernel: audit(1120156096.440:30): avc:  denied  {
read write } for  pid=2631 comm="ip-up" name=tty dev=tmpfs ino=2191
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devtty_t
tclass=chr_file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:31): avc:  denied  {
read } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.444:32): avc:  denied  {
getattr } for  pid=2631 comm="ip-up" name=meminfo dev=proc ino=-268435454
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.485:33): avc:  denied  {
ioctl } for  pid=2631 comm="ip-up" name=ip-up dev=hda1 ino=32870
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 14:28:17 oneringydingy kernel: audit(1120156096.545:34): avc:  denied  {
read } for  pid=2632 comm="ip-up" name=sh dev=hda1 ino=63765
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Jun 30 14:28:52 oneringydingy pppd[2088]: LCP terminated by peer (User request)
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.952:35): avc:  denied  {
execute } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:52 oneringydingy kernel: audit(1120156132.955:36): avc:  denied  {
execute_no_trans } for  pid=2640 comm="ip-down" name=ifdown-post dev=hda1
ino=33139 scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t
tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.029:37): avc:  denied  {
ioctl } for  pid=2640 comm="ifdown-post" name=ifdown-post dev=hda1 ino=33139
scontext=system_u:system_r:getty_ttcontext=system_u:object_r:etc_t tclass=file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.049:38): avc:  denied  {
getattr } for  pid=2643 comm="sed" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file
Jun 30 14:28:53 oneringydingy kernel: audit(1120156133.129:39): avc:  denied  {
write } for  pid=2642 comm="basename" name=[7873] dev=pipefs ino=7873
scontext=system_u:system_r:getty_ttcontext=system_u:system_r:getty_t
tclass=fifo_file

Expected results:
ppp connection should be successful.

Additional info:

Comment 1 Daniel Walsh 2005-07-03 15:26:45 UTC

Fixed in selinux-policy-targeted-1.24-3

Comment 2 Walter Justen 2005-08-19 06:46:13 UTC


*** This bug has been marked as a duplicate of 162200 ***

Note You need to log in before you can comment on or make changes to this bug.