Description of problem: After todays security updates, vpnc no longer runs correctly. In particular the /etc/vpnc/vpnc-script is denied permission to run /sbin/ip and /sbin/ifconfig. The file produced by audit2allow fails to validate with checkmodule. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Try to start vpnc 2. 3. Actual results: Connect Banner: | ============================== | Red Hat Inc | Unauthorized access prohibited | Violators will be prosecuted | ============================== /etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 101: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 105: /sbin/ifconfig: Permission denied /etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 125: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied /etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied Expected results: Connect Banner: | ============================== | Red Hat Inc | Unauthorized access prohibited | Violators will be prosecuted | ============================== Additional info: The output of audit2allow is: module audit200806272 1.0; =========== ROLES =============== role unconfined_r types ifconfig_exec_t; role unconfined_r types ifconfig_exec_t; role unconfined_r types ifconfig_exec_t; role unconfined_r types ifconfig_exec_t; role unconfined_r types ifconfig_exec_t; with the role line repeated dozens of times. As a workaround I did: chcon -t unconfined_execmem_exec_t /usr/sbin/vpnc Naturally this allows vpnc to run, but it also allows it to do things it shouldn't be allowed to do.
*** This bug has been marked as a duplicate of 452887 ***