Bug 236794 - ppp targeted policy denials
ppp targeted policy denials
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 236793 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-17 13:33 EDT by Subhendu Ghosh
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Subhendu Ghosh 2007-04-17 13:33:56 EDT
Description of problem: When initializing a ppp connection via NetworkManager
pppd get AVC denials for /var/run, /etc/default-routes, and /etc/resolv.conf


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6-30.el5
NetworkManager-glib-0.6.4-6.el5
NetworkManager-0.6.4-6.el5
NetworkManager-gnome-0.6.4-6.el5
ppp-2.4.4-1.el5


How reproducible:


Steps to Reproduce:
1.Define dial-up interface
2.Use NetworkManager to connect via dial-up interface
3.
  
Actual results:
3 AVC denials messages

Expected results:
no AVC denial messages

Additional info:
Comment 2 Subhendu Ghosh 2007-04-17 13:53:18 EDT
*** Bug 236793 has been marked as a duplicate of this bug. ***
Comment 3 David Hollis 2007-05-04 16:45:49 EDT
I also get AVC denials when trying to sync my phone over bluetooth.  PPP is
unable to read/write /var/run/pppd2.tdb.  If I use 'setenforce 0', I'm able to
sync.  The pppd2.tbd file seems to get created dynamically to match up
connections for multilink.  I don't know if it would be better if it was created
under /var/run/ppp, though that looks like it would be a build option.
Comment 4 Daniel Walsh 2007-05-05 07:54:56 EDT
This looks like a labeling problem.

restorecon /var/run/pppd2.tdb should fix the label on this file.

The question is how did it get the wrong label?

Also the resolv.conf that it is complaining about is this in /etc or /etc/ppp?
Comment 5 Subhendu Ghosh 2007-05-07 10:26:01 EDT
re #4: /etc/resolv.conf 
Comment 6 Daniel Walsh 2007-05-15 10:54:24 EDT
How do you set this up?
Comment 8 Daniel Walsh 2007-05-17 11:24:52 EDT
Could you check this against the u1 policy.  Currently available in preview at
http://people.redhat.com/dwalsh/SELinux/RHEL5/u1

I believe this is fixed in selinux-policy-2.4.6-71
Comment 10 RHEL Product and Program Management 2007-05-18 12:24:27 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Subhendu Ghosh 2007-05-18 13:58:16 EDT
Still getting errors:

SYSLOG
May 18 13:23:17 dakar-lap pppd[3279]: pppd 2.4.4 started by root, uid 0
May 18 13:23:18 dakar-lap wvdial[3306]: WvDial: Internet dialer version 1.54.0 
May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [*] does not
exist in wvdial.conf 
May 18 13:23:18 dakar-lap wvdial[3306]: Warning: inherited section [Modem0] does
not exist in wvdial.conf 
May 18 13:23:18 dakar-lap wvdial[3306]: Initializing modem. 
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATZ 
May 18 13:23:18 dakar-lap wvdial[3306]: ATZ 
May 18 13:23:18 dakar-lap wvdial[3306]: OK 
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 
May 18 13:23:18 dakar-lap wvdial[3306]: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 
May 18 13:23:18 dakar-lap wvdial[3306]: OK 
May 18 13:23:18 dakar-lap wvdial[3306]: Modem initialized. 
May 18 13:23:18 dakar-lap wvdial[3306]: Sending: ATDT#777 
May 18 13:23:18 dakar-lap wvdial[3306]: Waiting for carrier. 
May 18 13:23:18 dakar-lap wvdial[3306]: ATDT#777 
May 18 13:23:20 dakar-lap wvdial[3306]: CONNECT 
May 18 13:23:20 dakar-lap wvdial[3306]: Carrier detected.  Chatmode finished. 
May 18 13:23:20 dakar-lap pppd[3279]: Serial connection established.
May 18 13:23:20 dakar-lap pppd[3279]: Using interface ppp0
May 18 13:23:20 dakar-lap pppd[3279]: Connect: ppp0 <--> /dev/ttyACM0
May 18 13:23:21 dakar-lap kernel: PPP Deflate Compression module registered
May 18 13:23:21 dakar-lap pppd[3279]: Failed to create /etc/ppp/resolv.conf:
Permission denied
May 18 13:23:21 dakar-lap pppd[3279]: local  IP address 75.194.109.148
May 18 13:23:21 dakar-lap pppd[3279]: remote IP address 66.174.20.4
May 18 13:23:21 dakar-lap pppd[3279]: primary   DNS address 66.174.95.44
May 18 13:23:21 dakar-lap pppd[3279]: secondary DNS address 66.174.92.14
May 18 13:23:21 dakar-lap NET[3384]: /etc/sysconfig/network-scripts/ifup-post :
updated /etc/resolv.conf
May 18 13:23:24 dakar-lap setroubleshoot:      SELinux is preventing
/usr/sbin/pppd (pppd_t) "write" access to resolv.conf (p
ppd_etc_t).      For complete SELinux messages. run sealert -l
96f1e56f-72f9-4974-94f9-2a4d1dd63e1e
May 18 13:23:57 dakar-lap kernel: Removing netfilter NETLINK layer.
May 18 13:23:57 dakar-lap kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 18 13:23:57 dakar-lap kernel: Netfilter messages via NETLINK v0.30.
May 18 13:23:57 dakar-lap kernel: ip_conntrack version 2.4 (8192 buckets, 65536
max) - 228 bytes per conntrack
May 18 13:24:00 dakar-lap restorecond: Reset file context /etc/resolv.conf:
user_u:object_r:etc_t:s0->system_u:object_r:net_c
onf_t:s0 
*********************************************************88

[root@dakar-lap ~]# sealert -l 96f1e56f-72f9-4974-94f9-2a4d1dd63e1e
Summary
    SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf
    (pppd_etc_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/pppd. It is not expected that
    this access is required by /usr/sbin/pppd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for resolv.conf, restorecon -v
    resolv.conf. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "pppd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P pppd_disable_trans=1."

    The following command will allow this access:
    setsebool -P pppd_disable_trans=1

Additional Information        

Source Context                system_u:system_r:pppd_t
Target Context                root:object_r:pppd_etc_t
Target Objects                resolv.conf [ file ]
Affected RPM Packages         ppp-2.4.4-1.el5 [application]
Policy RPM                    selinux-policy-2.4.6-71.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     dakar-lap.lga.redhat.com
Platform                      Linux dakar-lap.lga.redhat.com 2.6.18-8.1.3.el5 #1
                              SMP Mon Apr 16 15:54:12 EDT 2007 i686 i686
Alert Count                   12
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="pppd" dev=dm-1 egid=0 euid=0
exe="/usr/sbin/pppd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="resolv.conf"
pid=3279 scontext=system_u:system_r:pppd_t:s0 sgid=0
subj=system_u:system_r:pppd_t:s0 suid=0 tclass=file
tcontext=root:object_r:pppd_etc_t:s0 tty=ttyACM0 uid=0

Comment 13 Subhendu Ghosh 2007-05-22 09:26:25 EDT
Re #4 - looks like the error is actually with the /etc/ppp/resolv.conf, not
/etc/resolv.conf. The latter gets created correctly by ifup-post.

I am now torn in actually trying to get this fixed - the SELinux error is the
only way I know the ppp connection was setup as NetworkManager does not yet
track ppp connections ;)
Comment 15 Eduard Benes 2007-08-21 04:37:43 EDT
Could you check this with the policy currently available at
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 16 Subhendu Ghosh 2007-08-21 21:58:05 EDT
Getting dependency errors:

rpm -Uvh selinux-policy-strict-2.4.6-83.el5.noarch.rpm 
selinux-policy-targeted-2.4.6-83.el5.noarch.rpm 

error: Failed dependencies:
        selinux-policy = 2.4.6-83.el5 is needed by
selinux-policy-strict-2.4.6-83.el5.noarch
        selinux-policy = 2.4.6-83.el5 is needed by
selinux-policy-targeted-2.4.6-83.el5.noarch


rpms on disk:
rpm -qa | grep policy
policycoreutils-newrole-1.33.12-12.el5
policycoreutils-1.33.12-12.el5
selinux-policy-2.4.6-80.el5
policycoreutils-gui-1.33.12-12.el5
checkpolicy-1.33.1-2.el5
selinux-policy-targeted-2.4.6-80.el5
Comment 17 Subhendu Ghosh 2007-08-22 00:16:55 EDT
ignore #6 - just didn't see the rpm on the web page.

Installed 2.4.6-83 rpms, but sestatus still shows Policy version 21.

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

rpm -qa | grep policy
selinux-policy-2.4.6-83.el5
selinux-policy-targeted-2.4.6-83.el5
policycoreutils-newrole-1.33.12-12.el5
policycoreutils-1.33.12-12.el5
selinux-policy-strict-2.4.6-83.el5
policycoreutils-gui-1.33.12-12.el5
checkpolicy-1.33.1-2.el5
Comment 18 Subhendu Ghosh 2007-08-22 00:28:47 EDT
The selinux error about /etc/ppp/resolv.conf is fixed.  Had to reapply context.

ll -Z /etc/ppp/resolv.conf 
-rw-r--r--  root root root:object_r:pppd_etc_t         /etc/ppp/resolv.conf

restorecon -v /etc/ppp/resolv.conf 
restorecon reset /etc/ppp/resolv.conf context
root:object_r:pppd_etc_t:s0->system_u:object_r:pppd_etc_rw_t:s0

ll -Z /etc/ppp/resolv.conf 
-rw-r--r--  root root system_u:object_r:pppd_etc_rw_t  /etc/ppp/resolv.conf


Now getting errors on /etc/default-routes

sealert -l 858b44a4-5fc2-4e09-b3ab-ff4f839a74d5
Summary
    SELinux is preventing /sbin/ip (ifconfig_t) "read" to /etc/default-routes
    (net_conf_t).

Detailed Description
    SELinux denied access requested by /sbin/ip. It is not expected that this
    access is required by /sbin/ip and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /etc/default-routes, restorecon
    -v /etc/default-routes If this does not work, there is currently no
    automatic way to allow this access. Instead,  you can generate a local
    policy module to allow this access - see http://fedora.redhat.com/docs
    /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
    altogether. Disabling SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:ifconfig_t
Target Context                system_u:object_r:net_conf_t
Target Objects                /etc/default-routes [ file ]
Affected RPM Packages         iproute-2.6.18-4.el5 [application]
Policy RPM                    selinux-policy-2.4.6-83.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     dakar-lap.lga.redhat.com
Platform                      Linux dakar-lap.lga.redhat.com 2.6.18-36.el5 #1
                              SMP Fri Jul 20 14:26:11 EDT 2007 i686 i686
Alert Count                   3
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="ip" dev=dm-1 egid=0 euid=0 exe="/sbin/ip" exit=0
fsgid=0 fsuid=0 gid=0 items=0 path="/etc/default-routes" pid=4660
scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:net_conf_t:s0 tty=(none) uid=0


bash# restorecon -v /etc/default-routes
lstat(/etc/default-routes) failed: No such file or directory
Comment 19 Daniel Walsh 2007-08-22 08:34:16 EDT
Looks like /etc/default-routes does not exist?
Comment 20 Daniel Walsh 2007-08-22 08:38:43 EDT
BTW Policy Version which is what sestatus reports as 21 and the version of the
rpm are two different things.
Comment 21 Eduard Benes 2007-09-21 14:52:48 EDT
Subhendu, could you please try the latest policy available at link below and 
reply whether it solves your problem? Thank you.

http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/93.el5/
noarch/
Comment 22 Eduard Benes 2007-09-28 11:01:13 EDT
Latest policy is available here:

http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/101.el5/
noarch/
Comment 23 Subhendu Ghosh 2007-10-01 10:54:24 EDT
All the PPP isues are fixed with 93 - thanks
Comment 25 errata-xmlrpc 2007-11-07 11:39:09 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.