453076 – vpnc no longer allowed to run /sbin/ip and /sbin/ipconfig

Bug 453076 - vpnc no longer allowed to run /sbin/ip and /sbin/ipconfig

Summary: vpnc no longer allowed to run /sbin/ip and /sbin/ipconfig

Keywords:
Status:	CLOSED DUPLICATE of bug 452887
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-27 05:38 UTC by Bill C. Riemers
Modified:	2008-06-27 05:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-27 05:41:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bill C. Riemers 2008-06-27 05:38:25 UTC

Description of problem:

After todays security updates, vpnc no longer runs correctly.  In particular the
/etc/vpnc/vpnc-script is denied permission to run /sbin/ip and /sbin/ifconfig.

The file produced by audit2allow fails to validate with checkmodule.
 
Version-Release number of selected component (if applicable):


How reproducible:

100%

Steps to Reproduce:
1. Try to start vpnc
2.
3.
  
Actual results:

Connect Banner:
| ==============================
| Red Hat Inc
| Unauthorized access prohibited
| Violators will be prosecuted
| ==============================
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 101: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 105: /sbin/ifconfig: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 125: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied

Expected results:

Connect Banner:
| ==============================
| Red Hat Inc
| Unauthorized access prohibited
| Violators will be prosecuted
| ==============================



Additional info:

The output of audit2allow is:


module audit200806272 1.0;

=========== ROLES ===============
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;


with the role line repeated dozens of times.

As a workaround I did:
chcon -t unconfined_execmem_exec_t /usr/sbin/vpnc

Naturally this allows vpnc to run, but it also allows it to do things it
shouldn't be allowed to do.

Comment 1 Bill C. Riemers 2008-06-27 05:41:22 UTC


*** This bug has been marked as a duplicate of 452887 ***

Note You need to log in before you can comment on or make changes to this bug.