Bug 453076 - vpnc no longer allowed to run /sbin/ip and /sbin/ipconfig
vpnc no longer allowed to run /sbin/ip and /sbin/ipconfig
Status: CLOSED DUPLICATE of bug 452887
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
high Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-27 01:38 EDT by Bill C. Riemers
Modified: 2008-06-27 01:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-27 01:41:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill C. Riemers 2008-06-27 01:38:25 EDT
Description of problem:

After todays security updates, vpnc no longer runs correctly.  In particular the
/etc/vpnc/vpnc-script is denied permission to run /sbin/ip and /sbin/ifconfig.

The file produced by audit2allow fails to validate with checkmodule.
 
Version-Release number of selected component (if applicable):


How reproducible:

100%

Steps to Reproduce:
1. Try to start vpnc
2.
3.
  
Actual results:

Connect Banner:
| ==============================
| Red Hat Inc
| Unauthorized access prohibited
| Violators will be prosecuted
| ==============================
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 101: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 105: /sbin/ifconfig: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 125: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 144: /sbin/ip: Permission denied

Expected results:

Connect Banner:
| ==============================
| Red Hat Inc
| Unauthorized access prohibited
| Violators will be prosecuted
| ==============================



Additional info:

The output of audit2allow is:


module audit200806272 1.0;

=========== ROLES ===============
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;
role unconfined_r types ifconfig_exec_t;


with the role line repeated dozens of times.

As a workaround I did:
chcon -t unconfined_execmem_exec_t /usr/sbin/vpnc

Naturally this allows vpnc to run, but it also allows it to do things it
shouldn't be allowed to do.
Comment 1 Bill C. Riemers 2008-06-27 01:41:22 EDT

*** This bug has been marked as a duplicate of 452887 ***

Note You need to log in before you can comment on or make changes to this bug.