Bug 162955 - SELinux stops pppd loading SpeedTouch module
Summary: SELinux stops pppd loading SpeedTouch module
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-11 20:24 UTC by Pete Chown
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-18 14:12:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Pete Chown 2005-07-11 20:24:10 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
When a SpeedTouch USB ADSL modem is used, pppd attempts to load the relevant kernel modules.  Presumably these would be speedtch, pppoatm and usb_atm.  However, the default SELinux policy prevents pppd from loading any kernel module.

To get around this problem I had to include the following rules in my local policy:

allow pppd_t insmod_exec_t:file { execute getattr execute_no_trans read };
allow pppd_t modules_conf_t:file { getattr read };
allow pppd_t modules_object_t:dir search;
allow pppd_t modules_object_t:file { getattr lock read write };
allow pppd_t self:capability sys_module;

I suspect this is the wrong answer, because allowing pppd to load modules effectively makes it unconstrained. :-( However, I'm not clear what alternatives exist.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.24-3

How reproducible:
Always

Steps to Reproduce:
1. Install a SpeedTouch ADSL modem.

2. Install the software, in particular the modem firmware, which is not distributed with Fedora for copyright reasons.  Set up the details of an ADSL connection in pppd's configuration files.

3. Ensure that the targeted policy is selected and that SELinux is set to enforcing.

4. Arrange for pppd to be run on system boot, for example by placing a command in /etc/rc.local (eg "/usr/sbin/pppd call kerneladsl").  Note that pppd seems to run successfully if it is started by root from the console -- perhaps in this case it runs in the unconfined domain?

5. Reboot system.

Actual Results:  Pppd fails with various AVC messages.

Expected Results:  Pppd should start and bring the ADSL line up.

Additional info:

Comment 1 Daniel Walsh 2005-07-12 10:06:04 UTC
I am adding this policy 

# pppd needs to load kernel modules for certain modems
bool pppd_can_insmod false;
if (pppd_can_insmod) {
ifdef(`modutil.te', `
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}

You will have to 
setsebool -P pppd_can_insmod 1

Could you try that and see if it works?

Comment 2 Pete Chown 2005-07-13 14:17:52 UTC
It does work -- thank you.

Comment 3 Daniel Walsh 2005-07-13 14:55:17 UTC
Fixed in selinux-policy-targeted-1.25.2-3  	




Comment 4 Pete Chown 2005-07-18 09:27:48 UTC
Just wanted to let you know: I updated selinux-policy-targeted today, and this
issue is now resolved.  Thanks for fixing this so quickly.


Note You need to log in before you can comment on or make changes to this bug.