Description of problem: When initializing a ppp connection via NetworkManager pppd get AVC denials for /var/run, /etc/default-routes, and /etc/resolv.conf Version-Release number of selected component (if applicable): selinux-policy-2.4.6-30.el5 selinux-policy-targeted-2.4.6-30.el5 NetworkManager-glib-0.6.4-6.el5 NetworkManager-0.6.4-6.el5 NetworkManager-gnome-0.6.4-6.el5 ppp-2.4.4-1.el5 How reproducible: Steps to Reproduce: 1.Define dial-up interface 2.Use NetworkManager to connect via dial-up interface 3. Actual results: 3 AVC denials messages Expected results: no AVC denial messages Additional info:
*** Bug 236793 has been marked as a duplicate of this bug. ***
I also get AVC denials when trying to sync my phone over bluetooth. PPP is unable to read/write /var/run/pppd2.tdb. If I use 'setenforce 0', I'm able to sync. The pppd2.tbd file seems to get created dynamically to match up connections for multilink. I don't know if it would be better if it was created under /var/run/ppp, though that looks like it would be a build option.
This looks like a labeling problem. restorecon /var/run/pppd2.tdb should fix the label on this file. The question is how did it get the wrong label? Also the resolv.conf that it is complaining about is this in /etc or /etc/ppp?
re #4: /etc/resolv.conf
How do you set this up?
Could you check this against the u1 policy. Currently available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5/u1 I believe this is fixed in selinux-policy-2.4.6-71
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Still getting errors: SYSLOG May 18 13:23:17 dakar-lap pppd[3279]: pppd 2.4.4 started by root, uid 0 May 18 13:23:18 dakar-lap wvdial[3306]: WvDial: Internet dialer version 1.54.0 May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [*] does not exist in wvdial.conf May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [Modem0] does not exist in wvdial.conf May 18 13:23:18 dakar-lap wvdial[3306]: Initializing modem. May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATZ May 18 13:23:18 dakar-lap wvdial[3306]: ATZ May 18 13:23:18 dakar-lap wvdial[3306]: OK May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 May 18 13:23:18 dakar-lap wvdial[3306]: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 May 18 13:23:18 dakar-lap wvdial[3306]: OK May 18 13:23:18 dakar-lap wvdial[3306]: Modem initialized. May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATDT#777 May 18 13:23:18 dakar-lap wvdial[3306]: Waiting for carrier. May 18 13:23:18 dakar-lap wvdial[3306]: ATDT#777 May 18 13:23:20 dakar-lap wvdial[3306]: CONNECT May 18 13:23:20 dakar-lap wvdial[3306]: Carrier detected. Chatmode finished. May 18 13:23:20 dakar-lap pppd[3279]: Serial connection established. May 18 13:23:20 dakar-lap pppd[3279]: Using interface ppp0 May 18 13:23:20 dakar-lap pppd[3279]: Connect: ppp0 <--> /dev/ttyACM0 May 18 13:23:21 dakar-lap kernel: PPP Deflate Compression module registered May 18 13:23:21 dakar-lap pppd[3279]: Failed to create /etc/ppp/resolv.conf: Permission denied May 18 13:23:21 dakar-lap pppd[3279]: local IP address 75.194.109.148 May 18 13:23:21 dakar-lap pppd[3279]: remote IP address 66.174.20.4 May 18 13:23:21 dakar-lap pppd[3279]: primary DNS address 66.174.95.44 May 18 13:23:21 dakar-lap pppd[3279]: secondary DNS address 66.174.92.14 May 18 13:23:21 dakar-lap NET[3384]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf May 18 13:23:24 dakar-lap setroubleshoot: SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf (p ppd_etc_t). For complete SELinux messages. run sealert -l 96f1e56f-72f9-4974-94f9-2a4d1dd63e1e May 18 13:23:57 dakar-lap kernel: Removing netfilter NETLINK layer. May 18 13:23:57 dakar-lap kernel: ip_tables: (C) 2000-2006 Netfilter Core Team May 18 13:23:57 dakar-lap kernel: Netfilter messages via NETLINK v0.30. May 18 13:23:57 dakar-lap kernel: ip_conntrack version 2.4 (8192 buckets, 65536 max) - 228 bytes per conntrack May 18 13:24:00 dakar-lap restorecond: Reset file context /etc/resolv.conf: user_u:object_r:etc_t:s0->system_u:object_r:net_c onf_t:s0 *********************************************************88 [root@dakar-lap ~]# sealert -l 96f1e56f-72f9-4974-94f9-2a4d1dd63e1e Summary SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf (pppd_etc_t). Detailed Description SELinux denied access requested by /usr/sbin/pppd. It is not expected that this access is required by /usr/sbin/pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for resolv.conf, restorecon -v resolv.conf. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "pppd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P pppd_disable_trans=1." The following command will allow this access: setsebool -P pppd_disable_trans=1 Additional Information Source Context system_u:system_r:pppd_t Target Context root:object_r:pppd_etc_t Target Objects resolv.conf [ file ] Affected RPM Packages ppp-2.4.4-1.el5 [application] Policy RPM selinux-policy-2.4.6-71.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name dakar-lap.lga.redhat.com Platform Linux dakar-lap.lga.redhat.com 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686 Alert Count 12 Line Numbers Raw Audit Messages avc: denied { write } for comm="pppd" dev=dm-1 egid=0 euid=0 exe="/usr/sbin/pppd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="resolv.conf" pid=3279 scontext=system_u:system_r:pppd_t:s0 sgid=0 subj=system_u:system_r:pppd_t:s0 suid=0 tclass=file tcontext=root:object_r:pppd_etc_t:s0 tty=ttyACM0 uid=0
Re #4 - looks like the error is actually with the /etc/ppp/resolv.conf, not /etc/resolv.conf. The latter gets created correctly by ifup-post. I am now torn in actually trying to get this fixed - the SELinux error is the only way I know the ppp connection was setup as NetworkManager does not yet track ppp connections ;)
Could you check this with the policy currently available at http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Getting dependency errors: rpm -Uvh selinux-policy-strict-2.4.6-83.el5.noarch.rpm selinux-policy-targeted-2.4.6-83.el5.noarch.rpm error: Failed dependencies: selinux-policy = 2.4.6-83.el5 is needed by selinux-policy-strict-2.4.6-83.el5.noarch selinux-policy = 2.4.6-83.el5 is needed by selinux-policy-targeted-2.4.6-83.el5.noarch rpms on disk: rpm -qa | grep policy policycoreutils-newrole-1.33.12-12.el5 policycoreutils-1.33.12-12.el5 selinux-policy-2.4.6-80.el5 policycoreutils-gui-1.33.12-12.el5 checkpolicy-1.33.1-2.el5 selinux-policy-targeted-2.4.6-80.el5
ignore #6 - just didn't see the rpm on the web page. Installed 2.4.6-83 rpms, but sestatus still shows Policy version 21. SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted rpm -qa | grep policy selinux-policy-2.4.6-83.el5 selinux-policy-targeted-2.4.6-83.el5 policycoreutils-newrole-1.33.12-12.el5 policycoreutils-1.33.12-12.el5 selinux-policy-strict-2.4.6-83.el5 policycoreutils-gui-1.33.12-12.el5 checkpolicy-1.33.1-2.el5
The selinux error about /etc/ppp/resolv.conf is fixed. Had to reapply context. ll -Z /etc/ppp/resolv.conf -rw-r--r-- root root root:object_r:pppd_etc_t /etc/ppp/resolv.conf restorecon -v /etc/ppp/resolv.conf restorecon reset /etc/ppp/resolv.conf context root:object_r:pppd_etc_t:s0->system_u:object_r:pppd_etc_rw_t:s0 ll -Z /etc/ppp/resolv.conf -rw-r--r-- root root system_u:object_r:pppd_etc_rw_t /etc/ppp/resolv.conf Now getting errors on /etc/default-routes sealert -l 858b44a4-5fc2-4e09-b3ab-ff4f839a74d5 Summary SELinux is preventing /sbin/ip (ifconfig_t) "read" to /etc/default-routes (net_conf_t). Detailed Description SELinux denied access requested by /sbin/ip. It is not expected that this access is required by /sbin/ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/default-routes, restorecon -v /etc/default-routes If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:ifconfig_t Target Context system_u:object_r:net_conf_t Target Objects /etc/default-routes [ file ] Affected RPM Packages iproute-2.6.18-4.el5 [application] Policy RPM selinux-policy-2.4.6-83.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name dakar-lap.lga.redhat.com Platform Linux dakar-lap.lga.redhat.com 2.6.18-36.el5 #1 SMP Fri Jul 20 14:26:11 EDT 2007 i686 i686 Alert Count 3 Line Numbers Raw Audit Messages avc: denied { read } for comm="ip" dev=dm-1 egid=0 euid=0 exe="/sbin/ip" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="/etc/default-routes" pid=4660 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=file tcontext=system_u:object_r:net_conf_t:s0 tty=(none) uid=0 bash# restorecon -v /etc/default-routes lstat(/etc/default-routes) failed: No such file or directory
Looks like /etc/default-routes does not exist?
BTW Policy Version which is what sestatus reports as 21 and the version of the rpm are two different things.
Subhendu, could you please try the latest policy available at link below and reply whether it solves your problem? Thank you. http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/93.el5/ noarch/
Latest policy is available here: http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/101.el5/ noarch/
All the PPP isues are fixed with 93 - thanks
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html