Bug 248702 - seLinux throws error when modprobe restablishes ppp connection to internet
seLinux throws error when modprobe restablishes ppp connection to internet
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: ppp (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Martin Nagy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-18 07:42 EDT by Paul Thompson
Modified: 2016-07-26 19:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-25 00:20:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Thompson 2007-07-18 07:42:51 EDT
Description of problem:
Using a speedtouch ADSL usb modem to contect to internet as ppp0
When internet goes down, modprobe tries to re-establish connection, yet reports
a seLinux error.
The internet still works however post this error

Version-Release number of selected component (if applicable):
kernel.i686                              2.6.21-1.3228.fc7      installed       
kernel-devel.i686                        2.6.21-1.3194.fc7      installed       
kernel-headers.i386                      2.6.21-1.3228.fc7      installed       
selinux-policy.noarch                    2.6.4-26.fc7           installed       
selinux-policy-targeted.noarch           2.6.4-26.fc7           installed       
ppp.i386                                 2.4.4-2                installed  
speetouch software / instructions located at
http://www.linux-usb.org/SpeedTouch/fedora/index.html

How reproducible:
connect to internet and wait indefinitely for lost connection. System will then
try to recover.
At first it will refuse any re-insertion of module until 
setsebool -Ppppd_can_ismod=1
it then produces the seLinux error

Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
seLinux report is as follows:
Summary
    SELinux is preventing /sbin/modprobe (insmod_t) "read write" to
    socket:[42386] (pppd_var_run_t).

Detailed Description
    SELinux denied access requested by /sbin/modprobe. It is not expected that
    this access is required by /sbin/modprobe and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for socket:[42386], restorecon -v
    socket:[42386] If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:insmod_t
Target Context                system_u:object_r:pppd_var_run_t
Target Objects                socket:[42386] [ file ]
Affected RPM Packages         module-init-tools-3.3-0.pre11.1.0.fc7
                              [application]
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     sally.thompson
Platform                      Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Tue 17 Jul 2007 12:42:22 AM BST
Last Seen                     Tue 17 Jul 2007 12:42:22 AM BST
Local ID                      09268002-ef8d-41b3-b4ee-90f643e0879c
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="modprobe" dev=dm-0 egid=0 euid=0
exe="/sbin/modprobe" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="pppd2.tdb"
path="socket:[42386]" pid=5352 scontext=system_u:system_r:insmod_t:s0 sgid=0
subj=system_u:system_r:insmod_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:pppd_var_run_t:s0 tty=(none) uid=0

The socket number varies

Expected results:
No seLinux error

Additional info:
I believe the following local policy will fix the problem, but I haven't been
able to test it out thoroughly

module local 1.0;

require {
	type insmod_t;
	class udp_socket { read write };
	class file { read write };
}

#============= insmod_t ==============
allow insmod_t pppd_t:udp_socket { read write };
allow insmod_t pppd_var_run_t:file { read write };
Comment 1 Daniel Walsh 2007-07-18 09:34:12 EDT
These are leaked file descriptors by pppd.  Any file descriptor should be closed
on exec.  

fcntl(fd, F_SETFD, F_CLOEXEC)

Comment 2 Martin Nagy 2008-03-06 11:33:34 EST
Could you please reproduce this error with strace and attach the output? Thanks.
Comment 3 Brian Powell 2008-04-25 00:20:09 EDT
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.

Note You need to log in before you can comment on or make changes to this bug.