Description of problem: Using a speedtouch ADSL usb modem to contect to internet as ppp0 When internet goes down, modprobe tries to re-establish connection, yet reports a seLinux error. The internet still works however post this error Version-Release number of selected component (if applicable): kernel.i686 2.6.21-1.3228.fc7 installed kernel-devel.i686 2.6.21-1.3194.fc7 installed kernel-headers.i386 2.6.21-1.3228.fc7 installed selinux-policy.noarch 2.6.4-26.fc7 installed selinux-policy-targeted.noarch 2.6.4-26.fc7 installed ppp.i386 2.4.4-2 installed speetouch software / instructions located at http://www.linux-usb.org/SpeedTouch/fedora/index.html How reproducible: connect to internet and wait indefinitely for lost connection. System will then try to recover. At first it will refuse any re-insertion of module until setsebool -Ppppd_can_ismod=1 it then produces the seLinux error Steps to Reproduce: 1. see above 2. 3. Actual results: seLinux report is as follows: Summary SELinux is preventing /sbin/modprobe (insmod_t) "read write" to socket:[42386] (pppd_var_run_t). Detailed Description SELinux denied access requested by /sbin/modprobe. It is not expected that this access is required by /sbin/modprobe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for socket:[42386], restorecon -v socket:[42386] If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:object_r:pppd_var_run_t Target Objects socket:[42386] [ file ] Affected RPM Packages module-init-tools-3.3-0.pre11.1.0.fc7 [application] Policy RPM selinux-policy-2.6.4-26.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name sally.thompson Platform Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 1 First Seen Tue 17 Jul 2007 12:42:22 AM BST Last Seen Tue 17 Jul 2007 12:42:22 AM BST Local ID 09268002-ef8d-41b3-b4ee-90f643e0879c Line Numbers Raw Audit Messages avc: denied { read, write } for comm="modprobe" dev=dm-0 egid=0 euid=0 exe="/sbin/modprobe" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="pppd2.tdb" path="socket:[42386]" pid=5352 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=file tcontext=system_u:object_r:pppd_var_run_t:s0 tty=(none) uid=0 The socket number varies Expected results: No seLinux error Additional info: I believe the following local policy will fix the problem, but I haven't been able to test it out thoroughly module local 1.0; require { type insmod_t; class udp_socket { read write }; class file { read write }; } #============= insmod_t ============== allow insmod_t pppd_t:udp_socket { read write }; allow insmod_t pppd_var_run_t:file { read write };
These are leaked file descriptors by pppd. Any file descriptor should be closed on exec. fcntl(fd, F_SETFD, F_CLOEXEC)
Could you please reproduce this error with strace and attach the output? Thanks.
The information we've requested above is required in order to review this problem report further and diagnose/fix the issue if it is still present. Since there have not been any updates to the report since thirty (30) days or more since we requested additional information, we're assuming the problem is either no longer present in the current Fedora release, or that there is no longer any interest in tracking the problem. Setting status to "CLOSED INSUFFICIENT_DATA". If you still experience this problem after updating to our latest Fedora release and can provide the information previously requested, please feel free to reopen the bug report. Thank you in advance. Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.