Bug 162955 - SELinux stops pppd loading SpeedTouch module
SELinux stops pppd loading SpeedTouch module
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-11 16:24 EDT by Pete Chown
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-18 10:12:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pete Chown 2005-07-11 16:24:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
When a SpeedTouch USB ADSL modem is used, pppd attempts to load the relevant kernel modules.  Presumably these would be speedtch, pppoatm and usb_atm.  However, the default SELinux policy prevents pppd from loading any kernel module.

To get around this problem I had to include the following rules in my local policy:

allow pppd_t insmod_exec_t:file { execute getattr execute_no_trans read };
allow pppd_t modules_conf_t:file { getattr read };
allow pppd_t modules_object_t:dir search;
allow pppd_t modules_object_t:file { getattr lock read write };
allow pppd_t self:capability sys_module;

I suspect this is the wrong answer, because allowing pppd to load modules effectively makes it unconstrained. :-( However, I'm not clear what alternatives exist.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.24-3

How reproducible:
Always

Steps to Reproduce:
1. Install a SpeedTouch ADSL modem.

2. Install the software, in particular the modem firmware, which is not distributed with Fedora for copyright reasons.  Set up the details of an ADSL connection in pppd's configuration files.

3. Ensure that the targeted policy is selected and that SELinux is set to enforcing.

4. Arrange for pppd to be run on system boot, for example by placing a command in /etc/rc.local (eg "/usr/sbin/pppd call kerneladsl").  Note that pppd seems to run successfully if it is started by root from the console -- perhaps in this case it runs in the unconfined domain?

5. Reboot system.

Actual Results:  Pppd fails with various AVC messages.

Expected Results:  Pppd should start and bring the ADSL line up.

Additional info:
Comment 1 Daniel Walsh 2005-07-12 06:06:04 EDT
I am adding this policy 

# pppd needs to load kernel modules for certain modems
bool pppd_can_insmod false;
if (pppd_can_insmod) {
ifdef(`modutil.te', `
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}

You will have to 
setsebool -P pppd_can_insmod 1

Could you try that and see if it works?
Comment 2 Pete Chown 2005-07-13 10:17:52 EDT
It does work -- thank you.
Comment 3 Daniel Walsh 2005-07-13 10:55:17 EDT
Fixed in selinux-policy-targeted-1.25.2-3  	


Comment 4 Pete Chown 2005-07-18 05:27:48 EDT
Just wanted to let you know: I updated selinux-policy-targeted today, and this
issue is now resolved.  Thanks for fixing this so quickly.

Note You need to log in before you can comment on or make changes to this bug.