Bug 327001 - Cannot bring up ppp0 interface using NetworkManager
Cannot bring up ppp0 interface using NetworkManager
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-10 17:36 EDT by David Anderson
Modified: 2008-06-16 22:37 EDT (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-16 22:37:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Anderson 2007-10-10 17:36:13 EDT
Description of problem:

I have a Speedtouch USB ADSL modem, which is brought up (PPPoA) 
with /sbin/ifup ppp0 at the bash prompt.

However, trying to bring it up via knetworkmanager doesn't work, and results 
in these errors in syslog:

Oct 10 22:25:26 hodge setroubleshoot:      SELinux is preventing pppoe-status 
(NetworkManager_t) "search" to ppp (pppd_etc_t).      For complete SELinux 
mess
ages. run sealert -l 2726aae0-0a5a-42ee-9358-63690d3c2fd6
Oct 10 22:25:26 hodge setroubleshoot:      SELinux is preventing pppoe-status 
(NetworkManager_t) "read" to ppp (pppd_etc_t).      For complete SELinux 
messag
es. run sealert -l 45c9b762-9d09-4266-a7aa-774677c12555
Oct 10 22:25:26 hodge setroubleshoot:      SELinux is preventing pppoe-status 
(NetworkManager_t) "read" to ppp (pppd_etc_t).      For complete SELinux 
messag
es. run sealert -l 45c9b762-9d09-4266-a7aa-774677c12555
Oct 10 22:25:26 hodge setroubleshoot:      SELinux is 
preventing /usr/sbin/pppd (pppd_t) "read write" to pppd2.tdb (var_run_t).      
For complete SELinux mes
sages. run sealert -l 705b54fb-b5dd-40d6-84f2-9dba9988806d
Oct 10 22:25:26 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l 002590b9-e0e3-4309-a508-d57d94a318dc
Oct 10 22:25:27 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l b47a9894-56c4-4691-ba88-d01a9807322e
Oct 10 22:25:27 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l 002590b9-e0e3-4309-a508-d57d94a318dc
Oct 10 22:25:27 hodge setroubleshoot:      SELinux is preventing pppoe-connect 
(NetworkManager_t) "search" to ppp (pppd_etc_t).      For complete SELinux mes
sages. run sealert -l 2726aae0-0a5a-42ee-9358-63690d3c2fd6
Comment 1 Daniel Walsh 2007-10-15 13:30:17 EDT
could you try 

restorecon -R -v /var/run
chcon -t pppd_exec_t PATHTO/pppoe-status

To see if this fixes the problem.
Comment 2 Daniel Walsh 2007-10-17 14:25:43 EDT
Fixed in selinux-policy-2.6.4-49
Comment 3 David Anderson 2007-11-10 06:41:25 EST
Not fixed in 2-6.4.49.

# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-49.fc7


From /var/log/messages:


Nov 10 10:35:50 hodge kernel: ATM dev 0: ADSL line is up (2272 kb/s down | 288 
kb/s up)
Nov 10 10:35:56 hodge NetworkManager: <info>  Activating dialup device ppp0 
via Modem (ppp0) ...
Nov 10 10:35:57 hodge pppd[5255]: Plugin pppoatm.so loaded.
Nov 10 10:35:57 hodge pppd[5255]: PPPoATM plugin_init
Nov 10 10:35:57 hodge pppd[5255]: PPPoATM setdevname_pppoatm - SUCCESS:0.38
Nov 10 10:35:57 hodge pppd[5255]: Warning: couldn't open ppp 
database /var/run/pppd2.tdb
Nov 10 10:35:57 hodge pppd[5255]: pppd 2.4.4 started by root, uid 0
Nov 10 10:35:57 hodge pppd[5255]: Failed to create pid 
file /var/run/ppp-ppp0.pid: Permission denied
Nov 10 10:35:57 hodge pppd[5255]: Using interface ppp0
Nov 10 10:35:57 hodge pppd[5255]: Failed to create pid file /var/run/ppp0.pid: 
Permission denied
Nov 10 10:35:57 hodge pppd[5255]: Fatal signal 11
Nov 10 10:35:57 hodge pppd[5255]: Exit.
Nov 10 10:35:57 hodge pppoe-connect: PPPoE connection lost; attempting 
re-connection.
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is 
preventing /usr/sbin/pppd (pppd_t) "read write" to pppd2.tdb (var_run_t).      
For complete SELinux mes
sages. run sealert -l 705b54fb-b5dd-40d6-84f2-9dba9988806d
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is 
preventing /usr/sbin/pppd (pppd_t) "write" to ppp-ppp0.pid (var_run_t).      
For complete SELinux messa
ges. run sealert -l 1f000f4c-42e8-43f2-a0f1-3c2b9d402cf2
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l b47a9894-56c4-4691-ba88-d01a9807322e
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l 002590b9-e0e3-4309-a508-d57d94a318dc
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealer
t -l 002590b9-e0e3-4309-a508-d57d94a318dc
Nov 10 10:35:59 hodge setroubleshoot:      SELinux is 
preventing /usr/sbin/pppd (pppd_t) "write" to ppp0.pid (var_run_t).      For 
complete SELinux messages.
 run sealert -l b8d0bc24-f77f-49c7-ab25-f256386bc57b
Comment 4 David Anderson 2007-11-10 06:46:03 EST
Apologies - I hadn't run all the commands Dan asked me to. I have now - it 
works (brings up Internet connection), but plenty of stuff is still logged:


Nov 10 10:44:47 hodge NetworkManager: <info>  Activating dialup device ppp0 
via Modem (ppp0) ...
Nov 10 10:44:48 hodge pppd[6621]: Plugin pppoatm.so loaded.
Nov 10 10:44:48 hodge pppd[6621]: PPPoATM plugin_init
Nov 10 10:44:48 hodge pppd[6621]: PPPoATM setdevname_pppoatm - SUCCESS:0.38
Nov 10 10:44:48 hodge pppd[6621]: pppd 2.4.4 started by root, uid 0
Nov 10 10:44:48 hodge pppd[6621]: Using interface ppp0
Nov 10 10:44:48 hodge pppd[6621]: Connect: ppp0 <--> 0.38
Nov 10 10:44:48 hodge pppd[6621]: Couldn't increase MTU to 1500. Using 1492
Nov 10 10:44:48 hodge pppd[6621]: Couldn't increase MRU to 1500. Using 1492
Nov 10 10:44:50 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealert -l 002590b9-e0e3-4309-a508-d57d94a318dc
Nov 10 10:44:50 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealert -l b47a9894-56c4-4691-ba88-d01a9807322e
Nov 10 10:44:50 hodge setroubleshoot:      SELinux is preventing the ppp 
daemon from inserting kernel modules.      For complete SELinux messages. run 
sealert -l 002590b9-e0e3-4309-a508-d57d94a318dc
Nov 10 10:44:51 hodge pppd[6621]: Couldn't increase MTU to 1500. Using 1492
Nov 10 10:44:51 hodge pppd[6621]: CHAP authentication succeeded
Nov 10 10:44:51 hodge pppd[6621]: CHAP authentication succeeded
Nov 10 10:44:51 hodge pppd[6621]: local  IP address 86.31.243.57
Nov 10 10:44:51 hodge pppd[6621]: remote IP address 194.145.148.252
Nov 10 10:44:51 hodge pppd[6621]: primary   DNS address 194.168.4.100
Nov 10 10:44:51 hodge pppd[6621]: secondary DNS address 194.168.8.100
Nov 10 10:44:51 hodge NET[6671]: /etc/sysconfig/network-scripts/ifup-post : 
updated /etc/resolv.conf
Nov 10 10:44:55 hodge setroubleshoot:      SELinux is preventing pppoe-status 
(pppd_t) "getattr" to /var/run/pppoa-adsl.pid.pppd (NetworkManager_var_run_t).      
For complete SELinux messages. run sealert -l 
7660bab4-741c-4f8e-8225-65571f93f67d
Nov 10 10:45:26 hodge last message repeated 5 times
Comment 5 David Anderson 2007-11-16 11:48:42 EST
Also I've discovered that NetworkManager can't close the connection. Whether 
that's an SELinux bug caused by the above logged denials or not, I can't tell 
as I'm not expert enough.
Comment 6 Daniel Walsh 2007-11-26 12:02:23 EST
After updating to selinux-policy-2.6.4-59.fc7 in fedora-testing could you
attempt the connection and attach the /var/log/audit/audit.log?
Comment 7 David Anderson 2007-12-04 04:03:18 EST
I will do. I discovered that the location of the pid file was being set by by 
ifcfg-ppp0 file, and may not be standard (I cribbed it from a tutorial for 
using the Speedtouch). However there were still other messages even after I'd 
taken that out - I'll test it out.
Comment 8 David Anderson 2007-12-19 03:25:42 EST
My present status is that I no longer have the original connection I began 
this with available.

But I am still using a ppp connection via NetworkManager. I have 
selinux-policy-2.6.4-61.fc7 installed.

It works, both connecting and disconnecting, but every time I end the 
connection, I get this in the logs (and an alert bubble on the desktop to tell 
me about it):

avc: denied { signal } for comm="pppd" egid=0 euid=0 exe="/usr/sbin/pppd" 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=26820 
scontext=system_u:system_r:pppd_t:s0 sgid=0 subj=system_u:system_r:pppd_t:s0 
suid=0 tclass=process tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0 
Comment 9 Daniel Walsh 2007-12-19 13:05:07 EST
What process is running as initrc_t?

ps -eZ | grep initrc_t
Comment 10 David Anderson 2007-12-24 03:19:55 EST
system_u:system_r:initrc_t       2612 ?        00:00:00 
NetworkManagerDispatcher --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
Comment 11 Daniel Walsh 2007-12-31 08:59:53 EST
Fixed in selinux-policy-2.6.4-67.fc7
Comment 12 Daniel Walsh 2008-01-30 14:06:16 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.
Comment 13 David Anderson 2008-02-04 04:26:52 EST
This bug was not fixed in selinux-policy-2.6.4-67.fc7 - I can confirm that 
with this version I still get the error as in #8.
Comment 14 Daniel Walsh 2008-02-04 15:59:56 EST
# ls -Z /usr/sbin/NetworkManagerDispatcher
-rwxr-xr-x  root root system_u:object_r:NetworkManager_exec_t:s0
/usr/sbin/NetworkManagerDispatcher

If this does not match, run restorecon

restorecon /usr/sbin/NetworkManagerDispatcher
Comment 15 David Anderson 2008-02-15 06:25:30 EST
It's correctly labelled. In fact I did a relabel of the whole filesystem just 
to make sure. I have now seen this fault on two machines.
Comment 16 Daniel Walsh 2008-02-15 09:49:58 EST
Fine what label is on the NetworkManagerDispatcher

# ls -Z /usr/sbin/NetworkManagerDispatcher

I want to see if something went wrong with the update.
Comment 17 David Anderson 2008-02-21 03:00:56 EST
# ls -Z /usr/sbin/NetworkManagerDispatcher
-rwxr-xr-x  root root 
system_u:object_r:NetworkManager_exec_t /usr/sbin/NetworkManagerDispatcher
Comment 18 Daniel Walsh 2008-02-21 10:26:17 EST
Ok what AVC messages are you still seeing?
Comment 19 David Anderson 2008-03-05 02:44:37 EST
avc: denied { signal } for comm="pppd" egid=0 euid=0 exe="/usr/sbin/pppd" 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=23072 
scontext=user_u:system_r:pppd_t:s0 sgid=0 subj=user_u:system_r:pppd_t:s0 
suid=0 tclass=process tcontext=user_u:system_r:initrc_t:s0 tty=(none) uid=0 
Comment 20 Daniel Walsh 2008-03-05 15:54:02 EST
Do you have the disabletrans boolean set?

getsebool -a | grep disable | grep -i network
Comment 21 David Anderson 2008-04-12 04:42:06 EDT
I get no output from the command given above, or even from:  getsebool -a | grep disable  I tried to read the whole list of booleans, but none of them seemed close to the one mentioned above.  
Comment 22 Daniel Walsh 2008-05-07 14:15:12 EDT
Ok I buried in other problems what is the current state of this bug.  Are you
still seeing this avc?
Comment 23 Bug Zapper 2008-05-14 10:41:56 EDT
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 24 David Anderson 2008-05-22 08:42:45 EDT
Yes, still seeing this same avc.
Comment 25 Daniel Walsh 2008-05-23 15:25:04 EDT
Are you planning on upgrading to Fedora 8 or 9?
Comment 26 Bug Zapper 2008-06-16 22:37:54 EDT
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.