Bug 453248 - security_compute_sid: invalid context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023
security_compute_sid: invalid context unconfined_u:unconfined_r:ifconfig_t:s...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-28 06:56 EDT by Miloslav Trmač
Modified: 2008-07-02 08:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-02 08:27:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmač 2008-06-28 06:56:25 EDT
Description of problem:
(cd /; sudo /usr/sbin/vpnc) connects, but setting up the network fails with
about 15 messages:
/etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied
... and so on.

audit.log contains the following:

type=SELINUX_ERR msg=audit(1214650324.205:212): security_compute_sid:  invalid
context unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1214650324.205:212): arch=40000003 syscall=11 success=no
exit=-13 a0=8a1da98 a1=8a2f4e8 a2=8a19c98 a3=0 items=0 ppid=11903 pid=11904
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="vpnc-script" exe="/bin/bash"
subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
(... and so on, repeated several times.)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-69.fc9.noarch
AFAICT this started happening after upgrading to this policy.

Additional info:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -Z /usr/bin/sudo /usr/sbin/vpnc /etc/vpnc/vpnc-script /sbin/ip /sbin/ifconfig 
-rwxr-xr-x  root root system_u:object_r:etc_t:s0       /etc/vpnc/vpnc-script
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ifconfig
-rwxr-xr-x  root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ip
---s--x--x  root root system_u:object_r:sudo_exec_t:s0 /usr/bin/sudo
-rwxr-xr-x  root root system_u:object_r:vpnc_exec_t:s0 /usr/sbin/vpnc

Relabeling didn't fix the problem.
Comment 1 Miloslav Trmač 2008-07-02 08:27:20 EDT
Seems to work with selinux-policy-3.3.1-72.fc9.noarch.

Note You need to log in before you can comment on or make changes to this bug.