Bug 487438 - Cannot run pppd via mgetty
Cannot run pppd via mgetty
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-25 18:24 EST by Orion Poplawski
Modified: 2009-03-03 10:32 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-03 10:32:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2009-02-25 18:24:46 EST
Description of problem:

Setting up a dialin server with mgetty starting pppd.  Get:

Feb 25 15:44:45 inferno kernel: type=1400 audit(1235601885.349:18): avc:  denied  { read write } for  pid=29071 comm="pppd" name="pppd2.tdb" dev=dm-1 ino=5734422 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file 
Feb 25 15:44:45 inferno kernel: type=1400 audit(1235601885.349:19): avc:  denied  { lock } for  pid=29071 comm="pppd" path="/var/run/pppd2.tdb" dev=dm-1 ino=5734422 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file                                                                                   
Feb 25 15:44:45 inferno kernel: type=1400 audit(1235601885.349:20): avc:  denied  { getattr } for  pid=29071 comm="pppd" path="/var/run/pppd2.tdb" dev=dm-1 ino=5734422 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file                                                                                

 
Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-45.fc10.noarch
Comment 1 Orion Poplawski 2009-02-25 18:26:14 EST
Also see this for the mgetty process:

Feb 25 15:42:41 inferno kernel: type=1400 audit(1235601761.610:15): avc:  denied  { setattr } for  pid=29071 comm="mgetty" name="mgetty.pid.ttyS0" dev=dm-1 ino=5734426 scontext=system_u:system_r:getty_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Feb 25 15:42:41 inferno mgetty[29071]: can't chmod() pid file: Permission denied
Feb 25 15:44:45 inferno kernel: type=1400 audit(1235601885.336:17): avc:  denied  { unlink } for  pid=29071 comm="mgetty" name="mgetty.pid.ttyS0" dev=dm-1 ino=5734426 scontext=system_u:system_r:getty_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Comment 2 Miroslav Grepl 2009-02-26 07:16:39 EST
It seems like labeling problem. Could you try:

# restorecon -R -v /var/run
Comment 3 Daniel Walsh 2009-02-26 09:22:33 EST
I agree this looks like a labeling problem.
Comment 4 Orion Poplawski 2009-02-26 10:42:53 EST
Okay, that did:

restorecon reset /var/run/pppd2.tdb context unconfined_u:object_r:var_run_t:s0->system_u:object_r:pppd_var_run_t:s0
restorecon reset /var/log/mgetty.log.ttyS0 context unconfined_u:object_r:var_log_t:s0->system_u:object_r:getty_log_t:s0

but how are these to get set correctly initially?
Comment 5 Daniel Walsh 2009-03-02 21:47:49 EST
Million dollar question.

Either something did not transition and ran as initrc_t.

Or could you have run these commands directly outside of the service so that these files could have been created by unconfined_t?
Comment 6 Orion Poplawski 2009-03-03 10:32:16 EST
(In reply to comment #5)
> Or could you have run these commands directly outside of the service so that
> these files could have been created by unconfined_t?

That was probably it.  Thanks again.

Note You need to log in before you can comment on or make changes to this bug.