382931 – SELinux prevents vpnc from getattr on /var/log

Bug 382931 - SELinux prevents vpnc from getattr on /var/log

Summary: SELinux prevents vpnc from getattr on /var/log

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-14 17:41 UTC by Jeff Bastian
Modified:	2008-01-30 19:06 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-30 19:06:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
SELinux audit log blocking vpnc-script (9.81 KB, text/plain) 2007-11-14 19:17 UTC, Jeff Bastian	no flags	Details
View All

Description Jeff Bastian 2007-11-14 17:41:36 UTC

Description of problem:
When making a VPN connection, the SELinux Troubleshooter pops up and says
  SELinux is preventing vpnc-script (vpnc_t) "getattr" to /var/log (var_log_t).

It says running
  restorecon -v /var/log
may fix the problem, but it does not.

Here's the error from /var/log/messages:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing sh (vpnc_t)
"search" to <Unknown> (var_log_t).#012     For complete SELinux messages. run
sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "getattr" to /var/log (var_log_t).#012     For complete SELinux
messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0
Nov 13 16:43:53 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "search" to <Unknown> (var_log_t).#012     For complete SELinux
messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing sh (vpnc_t)
"search" to <Unknown> (var_log_t).#012     For complete SELinux messages. run
sealert -l d5499172-9b3a-435c-9b63-84b255287132
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "getattr" to /var/log (var_log_t).#012     For complete SELinux
messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0
Nov 13 16:43:54 wasp setroubleshoot: #012    SELinux is preventing vpnc-script
(vpnc_t) "search" to <Unknown> (var_log_t).#012     For complete SELinux
messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-47.fc8
selinux-policy-targeted-3.0.8-47.fc8
vpnc-0.5.1-1.fc8


How reproducible:
fairly often

Steps to Reproduce:
1. Boot F8 with SELinux enabled and targeted
2. Open a VPN connection with vpnc
3. Watch SELinux Troubleshooter pop-up, or check /var/log/messages for above error
  
Actual results:
/etc/vpnc/vpnc-script is prevented from running successfully

Expected results:
/etc/vpnc/vpnc-script should be allowed to do whatever it's trying to do. 

Additional info:

Comment 1 Daniel Walsh 2007-11-14 18:48:14 UTC

What is the script trying to do?

Comment 2 Jeff Bastian 2007-11-14 18:53:02 UTC

I'm not sure.  The script is part of the vpnc package.  According to the vpnc(8)
man page:
       --script <command>
              command  is  executed using system() to configure the interface,
              routing and so on. Device name, IP, etc. are passed using  envi-
              roment  variables,  see  README.  This  script is executed right
              after ISAKMP is done, but before tunneling  is  enabled.  It  is
              called when vpnc terminates, too
              Default: /etc/vpnc/vpnc-script
       conf-variable: Script <command>

Comment 3 Daniel Walsh 2007-11-14 18:59:19 UTC

Could you attach the audit.log that you saw when running this application?

Did vpnc succeed in enforcing mode?

Comment 4 Jeff Bastian 2007-11-14 19:02:46 UTC

I just scanned over the script and it does a number of things including
  1. setting up the routes for the VPN connection
  2. modify resolv.conf
  3. tweak netmask and MTU on VPN tunX interface

But I don't see where it's doing anything with /var/log/* ....

Comment 5 Jeff Bastian 2007-11-14 19:17:15 UTC

Created attachment 258591 [details]
SELinux audit log blocking vpnc-script

vpnc did succeed in connecting me so SELinux is only partially blocking the
script.

Here are the entries from /var/log/audit/audit.log from yesterday at 16:43 when
I last saw this.

Comment 6 Jeff Bastian 2007-11-14 19:28:53 UTC

I run vpnc through sudo.  Maybe SELinux doesn't like that?

Comment 7 Daniel Walsh 2007-11-14 20:04:32 UTC

Nope, I have no idea.  Unless you are running the sudo command while sitting in
/var/log directory.

I have added a dontaudit line in selinux-policy-3.0.8-56

Comment 8 Daniel Walsh 2008-01-30 19:06:03 UTC

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.