Bug 382931 - SELinux prevents vpnc from getattr on /var/log
SELinux prevents vpnc from getattr on /var/log
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-14 12:41 EST by Jeff Bastian
Modified: 2008-01-30 14:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux audit log blocking vpnc-script (9.81 KB, text/plain)
2007-11-14 14:17 EST, Jeff Bastian
no flags Details

  None (edit)
Description Jeff Bastian 2007-11-14 12:41:36 EST
Description of problem:
When making a VPN connection, the SELinux Troubleshooter pops up and says
  SELinux is preventing vpnc-script (vpnc_t) "getattr" to /var/log (var_log_t).

It says running
  restorecon -v /var/log
may fix the problem, but it does not.

Here's the error from /var/log/messages:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing sh (vpnc_t)
"search" to <Unknown> (var_log_t).#012     For complete SELinux messages. run
sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "getattr" to /var/log (var_log_t).#012     For complete SELinux
messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "search" to <Unknown> (var_log_t).#012     For complete SELinux
messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing sh (vpnc_t)
"search" to <Unknown> (var_log_t).#012     For complete SELinux messages. run
sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "getattr" to /var/log (var_log_t).#012     For complete SELinux
messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "search" to <Unknown> (var_log_t).#012     For complete SELinux
messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-47.fc8
selinux-policy-targeted-3.0.8-47.fc8
vpnc-0.5.1-1.fc8


How reproducible:
fairly often

Steps to Reproduce:
1. Boot F8 with SELinux enabled and targeted
2. Open a VPN connection with vpnc
3. Watch SELinux Troubleshooter pop-up, or check /var/log/messages for above error
  
Actual results:
/etc/vpnc/vpnc-script is prevented from running successfully

Expected results:
/etc/vpnc/vpnc-script should be allowed to do whatever it's trying to do. 

Additional info:
Comment 1 Daniel Walsh 2007-11-14 13:48:14 EST
What is the script trying to do?
Comment 2 Jeff Bastian 2007-11-14 13:53:02 EST
I'm not sure.  The script is part of the vpnc package.  According to the vpnc(8)
man page:
       --script <command>
              command  is  executed using system() to configure the interface,
              routing and so on. Device name, IP, etc. are passed using  envi-
              roment  variables,  see  README.  This  script is executed right
              after ISAKMP is done, but before tunneling  is  enabled.  It  is
              called when vpnc terminates, too
              Default: /etc/vpnc/vpnc-script
       conf-variable: Script <command>
Comment 3 Daniel Walsh 2007-11-14 13:59:19 EST
Could you attach the audit.log that you saw when running this application?

Did vpnc succeed in enforcing mode?

Comment 4 Jeff Bastian 2007-11-14 14:02:46 EST
I just scanned over the script and it does a number of things including
  1. setting up the routes for the VPN connection
  2. modify resolv.conf
  3. tweak netmask and MTU on VPN tunX interface

But I don't see where it's doing anything with /var/log/* ....
Comment 5 Jeff Bastian 2007-11-14 14:17:15 EST
Created attachment 258591 [details]
SELinux audit log blocking vpnc-script

vpnc did succeed in connecting me so SELinux is only partially blocking the
script.

Here are the entries from /var/log/audit/audit.log from yesterday at 16:43 when
I last saw this.
Comment 6 Jeff Bastian 2007-11-14 14:28:53 EST
I run vpnc through sudo.  Maybe SELinux doesn't like that?
Comment 7 Daniel Walsh 2007-11-14 15:04:32 EST
Nope, I have no idea.  Unless you are running the sudo command while sitting in
/var/log directory.

I have added a dontaudit line in selinux-policy-3.0.8-56
Comment 8 Daniel Walsh 2008-01-30 14:06:03 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.