This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 452723 - ppp-watch cannot sigkill
ppp-watch cannot sigkill
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
i686 Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-24 12:39 EDT by Gunnar Hellekson
Modified: 2008-08-12 10:27 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-12 10:27:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gunnar Hellekson 2008-06-24 12:39:01 EDT
Summary
    SELinux is preventing /sbin/ppp-watch (pppd_t) "sigkill" access to <Unknown>
    (pppd_t).

Detailed Description
    SELinux denied access requested by /sbin/ppp-watch. It is not expected that
    this access is required by /sbin/ppp-watch and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "pppd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P pppd_disable_trans=1."

    The following command will allow this access:
    setsebool -P pppd_disable_trans=1

Additional Information        

Source Context                user_u:system_r:pppd_t
Target Context                user_u:system_r:pppd_t
Target Objects                None [ process ]
Affected RPM Packages         initscripts-8.45.17.EL-1 [application]
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     ghelleks.csb
Platform                      Linux ghelleks.csb 2.6.18-53.1.21.el5 #1 SMP Wed
                              May 7 08:42:13 EDT 2008 i686 i686
Alert Count                   4
Line Numbers                  

Raw Audit Messages            

avc: denied { sigkill } for comm="ppp-watch" egid=0 euid=0 exe="/sbin/ppp-watch"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=6989
scontext=user_u:system_r:pppd_t:s0 sgid=0 subj=user_u:system_r:pppd_t:s0 suid=0
tclass=process tcontext=user_u:system_r:pppd_t:s0 tty=(none) uid=0



Steps to Reproduce:
1. Kill ppp-watch
2. Watch ppp-watch try to send pppd a sigkill
3. Watch setroubleshoot appear
  
Actual results:
AVC Denial

Expected results:
ppp-watch sends sigkill to pppd without an AVC
Comment 2 Daniel Walsh 2008-08-12 10:27:24 EDT
I believe this is fixed in U2 policy

Please update your selinux-policy-targeted package.

Note You need to log in before you can comment on or make changes to this bug.