Description of problem: When making a VPN connection, the SELinux Troubleshooter pops up and says SELinux is preventing vpnc-script (vpnc_t) "getattr" to /var/log (var_log_t). It says running restorecon -v /var/log may fix the problem, but it does not. Here's the error from /var/log/messages: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nov 13 16:43:53 wasp setroubleshoot: #012 SELinux is preventing sh (vpnc_t) "search" to <Unknown> (var_log_t).#012 For complete SELinux messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132 Nov 13 16:43:53 wasp setroubleshoot: #012 SELinux is preventing vpnc-script (vpnc_t) "getattr" to /var/log (var_log_t).#012 For complete SELinux messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0 Nov 13 16:43:53 wasp setroubleshoot: #012 SELinux is preventing vpnc-script (vpnc_t) "search" to <Unknown> (var_log_t).#012 For complete SELinux messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132 Nov 13 16:43:54 wasp setroubleshoot: #012 SELinux is preventing sh (vpnc_t) "search" to <Unknown> (var_log_t).#012 For complete SELinux messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132 Nov 13 16:43:54 wasp setroubleshoot: #012 SELinux is preventing vpnc-script (vpnc_t) "getattr" to /var/log (var_log_t).#012 For complete SELinux messages. run sealert -l 61a62496-9158-40b2-897d-6346dd7dfcb0 Nov 13 16:43:54 wasp setroubleshoot: #012 SELinux is preventing vpnc-script (vpnc_t) "search" to <Unknown> (var_log_t).#012 For complete SELinux messages. run sealert -l d5499172-9b3a-435c-9b63-84b255287132 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Version-Release number of selected component (if applicable): selinux-policy-3.0.8-47.fc8 selinux-policy-targeted-3.0.8-47.fc8 vpnc-0.5.1-1.fc8 How reproducible: fairly often Steps to Reproduce: 1. Boot F8 with SELinux enabled and targeted 2. Open a VPN connection with vpnc 3. Watch SELinux Troubleshooter pop-up, or check /var/log/messages for above error Actual results: /etc/vpnc/vpnc-script is prevented from running successfully Expected results: /etc/vpnc/vpnc-script should be allowed to do whatever it's trying to do. Additional info:
What is the script trying to do?
I'm not sure. The script is part of the vpnc package. According to the vpnc(8) man page: --script <command> command is executed using system() to configure the interface, routing and so on. Device name, IP, etc. are passed using envi- roment variables, see README. This script is executed right after ISAKMP is done, but before tunneling is enabled. It is called when vpnc terminates, too Default: /etc/vpnc/vpnc-script conf-variable: Script <command>
Could you attach the audit.log that you saw when running this application? Did vpnc succeed in enforcing mode?
I just scanned over the script and it does a number of things including 1. setting up the routes for the VPN connection 2. modify resolv.conf 3. tweak netmask and MTU on VPN tunX interface But I don't see where it's doing anything with /var/log/* ....
Created attachment 258591 [details] SELinux audit log blocking vpnc-script vpnc did succeed in connecting me so SELinux is only partially blocking the script. Here are the entries from /var/log/audit/audit.log from yesterday at 16:43 when I last saw this.
I run vpnc through sudo. Maybe SELinux doesn't like that?
Nope, I have no idea. Unless you are running the sudo command while sitting in /var/log directory. I have added a dontaudit line in selinux-policy-3.0.8-56
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.