Bug 459352 - SELinux prevents NetworkManager access to pppd which is required for 3g mobile broadband
SELinux prevents NetworkManager access to pppd which is required for 3g mobil...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-17 05:14 EDT by Paul Ross
Modified: 2008-08-18 12:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-18 12:41:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Ross 2008-08-17 05:14:52 EDT
Description of problem:

If, under NetworkManager, you select the GSM Network Connection then the connection fails. SELinux then warns that it has blocked access to pppd from NetworkManager, with the following information:

SummarySELinux is preventing pppd (pppd_t) "read write" to ./pppd2.tdb 
(var_run_t). 

Detailed Description

SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./pppd2.tdb, restorecon -v './pppd2.tdb' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 


Version-Release number of selected component (if applicable):

NetworkManager-gnome-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-glib-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-0.7.0-0.9.4.svn3675.fc9.i386
libselinux-devel-2.0.67-4.fc9.i386
libselinux-python-2.0.67-4.fc9.i386
selinux-policy-3.3.1-84.fc9.noarch
libselinux-2.0.67-4.fc9.i386
selinux-policy-devel-3.3.1-84.fc9.noarch
selinux-policy-targeted-3.3.1-84.fc9.noarch
rp-pppoe-3.8-3.fc9.i386
ppp-2.4.4-7.fc9.i386



How reproducible:

100%

Steps to Reproduce:
1.Boot the machine and log in to the GNOME desktop
2.On the bottom right, click on the NetworkManager icon
3.Select "Auto GSM network connection"
4.Observe the SELinux star appear
  
Actual results:

SELinux prevents access to pppd preventing the machine from using 3g mobile broadband.

Expected results:

SELinux should allow access to pppd allowing the machine to access 3g mobile broadband services

Additional info:
Comment 1 Daniel Walsh 2008-08-18 07:47:08 EDT
Did you run the restorecon command?  Did this fix the problem?

# restorecon -R -v /var/run/ppp*

I believe the problem is the file is somehow mislabled.  If you can figure out which process created this file that is probably the cuplret.

If it is created via an init script we might need to add a restorecon command to the init script.
Comment 2 Paul Ross 2008-08-18 12:41:32 EDT
Yes, a relabel fixed it.

Note You need to log in before you can comment on or make changes to this bug.