Description of problem: I have a Speedtouch USB ADSL modem, which is brought up (PPPoA) with /sbin/ifup ppp0 at the bash prompt. However, trying to bring it up via knetworkmanager doesn't work, and results in these errors in syslog: Oct 10 22:25:26 hodge setroubleshoot: SELinux is preventing pppoe-status (NetworkManager_t) "search" to ppp (pppd_etc_t). For complete SELinux mess ages. run sealert -l 2726aae0-0a5a-42ee-9358-63690d3c2fd6 Oct 10 22:25:26 hodge setroubleshoot: SELinux is preventing pppoe-status (NetworkManager_t) "read" to ppp (pppd_etc_t). For complete SELinux messag es. run sealert -l 45c9b762-9d09-4266-a7aa-774677c12555 Oct 10 22:25:26 hodge setroubleshoot: SELinux is preventing pppoe-status (NetworkManager_t) "read" to ppp (pppd_etc_t). For complete SELinux messag es. run sealert -l 45c9b762-9d09-4266-a7aa-774677c12555 Oct 10 22:25:26 hodge setroubleshoot: SELinux is preventing /usr/sbin/pppd (pppd_t) "read write" to pppd2.tdb (var_run_t). For complete SELinux mes sages. run sealert -l 705b54fb-b5dd-40d6-84f2-9dba9988806d Oct 10 22:25:26 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l 002590b9-e0e3-4309-a508-d57d94a318dc Oct 10 22:25:27 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l b47a9894-56c4-4691-ba88-d01a9807322e Oct 10 22:25:27 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l 002590b9-e0e3-4309-a508-d57d94a318dc Oct 10 22:25:27 hodge setroubleshoot: SELinux is preventing pppoe-connect (NetworkManager_t) "search" to ppp (pppd_etc_t). For complete SELinux mes sages. run sealert -l 2726aae0-0a5a-42ee-9358-63690d3c2fd6
could you try restorecon -R -v /var/run chcon -t pppd_exec_t PATHTO/pppoe-status To see if this fixes the problem.
Fixed in selinux-policy-2.6.4-49
Not fixed in 2-6.4.49. # rpm -q selinux-policy-targeted selinux-policy-targeted-2.6.4-49.fc7 From /var/log/messages: Nov 10 10:35:50 hodge kernel: ATM dev 0: ADSL line is up (2272 kb/s down | 288 kb/s up) Nov 10 10:35:56 hodge NetworkManager: <info> Activating dialup device ppp0 via Modem (ppp0) ... Nov 10 10:35:57 hodge pppd[5255]: Plugin pppoatm.so loaded. Nov 10 10:35:57 hodge pppd[5255]: PPPoATM plugin_init Nov 10 10:35:57 hodge pppd[5255]: PPPoATM setdevname_pppoatm - SUCCESS:0.38 Nov 10 10:35:57 hodge pppd[5255]: Warning: couldn't open ppp database /var/run/pppd2.tdb Nov 10 10:35:57 hodge pppd[5255]: pppd 2.4.4 started by root, uid 0 Nov 10 10:35:57 hodge pppd[5255]: Failed to create pid file /var/run/ppp-ppp0.pid: Permission denied Nov 10 10:35:57 hodge pppd[5255]: Using interface ppp0 Nov 10 10:35:57 hodge pppd[5255]: Failed to create pid file /var/run/ppp0.pid: Permission denied Nov 10 10:35:57 hodge pppd[5255]: Fatal signal 11 Nov 10 10:35:57 hodge pppd[5255]: Exit. Nov 10 10:35:57 hodge pppoe-connect: PPPoE connection lost; attempting re-connection. Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing /usr/sbin/pppd (pppd_t) "read write" to pppd2.tdb (var_run_t). For complete SELinux mes sages. run sealert -l 705b54fb-b5dd-40d6-84f2-9dba9988806d Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing /usr/sbin/pppd (pppd_t) "write" to ppp-ppp0.pid (var_run_t). For complete SELinux messa ges. run sealert -l 1f000f4c-42e8-43f2-a0f1-3c2b9d402cf2 Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l b47a9894-56c4-4691-ba88-d01a9807322e Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l 002590b9-e0e3-4309-a508-d57d94a318dc Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealer t -l 002590b9-e0e3-4309-a508-d57d94a318dc Nov 10 10:35:59 hodge setroubleshoot: SELinux is preventing /usr/sbin/pppd (pppd_t) "write" to ppp0.pid (var_run_t). For complete SELinux messages. run sealert -l b8d0bc24-f77f-49c7-ab25-f256386bc57b
Apologies - I hadn't run all the commands Dan asked me to. I have now - it works (brings up Internet connection), but plenty of stuff is still logged: Nov 10 10:44:47 hodge NetworkManager: <info> Activating dialup device ppp0 via Modem (ppp0) ... Nov 10 10:44:48 hodge pppd[6621]: Plugin pppoatm.so loaded. Nov 10 10:44:48 hodge pppd[6621]: PPPoATM plugin_init Nov 10 10:44:48 hodge pppd[6621]: PPPoATM setdevname_pppoatm - SUCCESS:0.38 Nov 10 10:44:48 hodge pppd[6621]: pppd 2.4.4 started by root, uid 0 Nov 10 10:44:48 hodge pppd[6621]: Using interface ppp0 Nov 10 10:44:48 hodge pppd[6621]: Connect: ppp0 <--> 0.38 Nov 10 10:44:48 hodge pppd[6621]: Couldn't increase MTU to 1500. Using 1492 Nov 10 10:44:48 hodge pppd[6621]: Couldn't increase MRU to 1500. Using 1492 Nov 10 10:44:50 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealert -l 002590b9-e0e3-4309-a508-d57d94a318dc Nov 10 10:44:50 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealert -l b47a9894-56c4-4691-ba88-d01a9807322e Nov 10 10:44:50 hodge setroubleshoot: SELinux is preventing the ppp daemon from inserting kernel modules. For complete SELinux messages. run sealert -l 002590b9-e0e3-4309-a508-d57d94a318dc Nov 10 10:44:51 hodge pppd[6621]: Couldn't increase MTU to 1500. Using 1492 Nov 10 10:44:51 hodge pppd[6621]: CHAP authentication succeeded Nov 10 10:44:51 hodge pppd[6621]: CHAP authentication succeeded Nov 10 10:44:51 hodge pppd[6621]: local IP address 86.31.243.57 Nov 10 10:44:51 hodge pppd[6621]: remote IP address 194.145.148.252 Nov 10 10:44:51 hodge pppd[6621]: primary DNS address 194.168.4.100 Nov 10 10:44:51 hodge pppd[6621]: secondary DNS address 194.168.8.100 Nov 10 10:44:51 hodge NET[6671]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf Nov 10 10:44:55 hodge setroubleshoot: SELinux is preventing pppoe-status (pppd_t) "getattr" to /var/run/pppoa-adsl.pid.pppd (NetworkManager_var_run_t). For complete SELinux messages. run sealert -l 7660bab4-741c-4f8e-8225-65571f93f67d Nov 10 10:45:26 hodge last message repeated 5 times
Also I've discovered that NetworkManager can't close the connection. Whether that's an SELinux bug caused by the above logged denials or not, I can't tell as I'm not expert enough.
After updating to selinux-policy-2.6.4-59.fc7 in fedora-testing could you attempt the connection and attach the /var/log/audit/audit.log?
I will do. I discovered that the location of the pid file was being set by by ifcfg-ppp0 file, and may not be standard (I cribbed it from a tutorial for using the Speedtouch). However there were still other messages even after I'd taken that out - I'll test it out.
My present status is that I no longer have the original connection I began this with available. But I am still using a ppp connection via NetworkManager. I have selinux-policy-2.6.4-61.fc7 installed. It works, both connecting and disconnecting, but every time I end the connection, I get this in the logs (and an alert bubble on the desktop to tell me about it): avc: denied { signal } for comm="pppd" egid=0 euid=0 exe="/usr/sbin/pppd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=26820 scontext=system_u:system_r:pppd_t:s0 sgid=0 subj=system_u:system_r:pppd_t:s0 suid=0 tclass=process tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0
What process is running as initrc_t? ps -eZ | grep initrc_t
system_u:system_r:initrc_t 2612 ? 00:00:00 NetworkManagerDispatcher --pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
Fixed in selinux-policy-2.6.4-67.fc7
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.
This bug was not fixed in selinux-policy-2.6.4-67.fc7 - I can confirm that with this version I still get the error as in #8.
# ls -Z /usr/sbin/NetworkManagerDispatcher -rwxr-xr-x root root system_u:object_r:NetworkManager_exec_t:s0 /usr/sbin/NetworkManagerDispatcher If this does not match, run restorecon restorecon /usr/sbin/NetworkManagerDispatcher
It's correctly labelled. In fact I did a relabel of the whole filesystem just to make sure. I have now seen this fault on two machines.
Fine what label is on the NetworkManagerDispatcher # ls -Z /usr/sbin/NetworkManagerDispatcher I want to see if something went wrong with the update.
# ls -Z /usr/sbin/NetworkManagerDispatcher -rwxr-xr-x root root system_u:object_r:NetworkManager_exec_t /usr/sbin/NetworkManagerDispatcher
Ok what AVC messages are you still seeing?
avc: denied { signal } for comm="pppd" egid=0 euid=0 exe="/usr/sbin/pppd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=23072 scontext=user_u:system_r:pppd_t:s0 sgid=0 subj=user_u:system_r:pppd_t:s0 suid=0 tclass=process tcontext=user_u:system_r:initrc_t:s0 tty=(none) uid=0
Do you have the disabletrans boolean set? getsebool -a | grep disable | grep -i network
I get no output from the command given above, or even from: getsebool -a | grep disable I tried to read the whole list of booleans, but none of them seemed close to the one mentioned above.
Ok I buried in other problems what is the current state of this bug. Are you still seeing this avc?
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Yes, still seeing this same avc.
Are you planning on upgrading to Fedora 8 or 9?
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.