From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: When a SpeedTouch USB ADSL modem is used, pppd attempts to load the relevant kernel modules. Presumably these would be speedtch, pppoatm and usb_atm. However, the default SELinux policy prevents pppd from loading any kernel module. To get around this problem I had to include the following rules in my local policy: allow pppd_t insmod_exec_t:file { execute getattr execute_no_trans read }; allow pppd_t modules_conf_t:file { getattr read }; allow pppd_t modules_object_t:dir search; allow pppd_t modules_object_t:file { getattr lock read write }; allow pppd_t self:capability sys_module; I suspect this is the wrong answer, because allowing pppd to load modules effectively makes it unconstrained. :-( However, I'm not clear what alternatives exist. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.24-3 How reproducible: Always Steps to Reproduce: 1. Install a SpeedTouch ADSL modem. 2. Install the software, in particular the modem firmware, which is not distributed with Fedora for copyright reasons. Set up the details of an ADSL connection in pppd's configuration files. 3. Ensure that the targeted policy is selected and that SELinux is set to enforcing. 4. Arrange for pppd to be run on system boot, for example by placing a command in /etc/rc.local (eg "/usr/sbin/pppd call kerneladsl"). Note that pppd seems to run successfully if it is started by root from the console -- perhaps in this case it runs in the unconfined domain? 5. Reboot system. Actual Results: Pppd fails with various AVC messages. Expected Results: Pppd should start and bring the ADSL line up. Additional info:
I am adding this policy # pppd needs to load kernel modules for certain modems bool pppd_can_insmod false; if (pppd_can_insmod) { ifdef(`modutil.te', ` domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) ') } You will have to setsebool -P pppd_can_insmod 1 Could you try that and see if it works?
It does work -- thank you.
Fixed in selinux-policy-targeted-1.25.2-3
Just wanted to let you know: I updated selinux-policy-targeted today, and this issue is now resolved. Thanks for fixing this so quickly.