Bug 498789 - AVC denial when starting a DSL connection (F11 Rawhide)
AVC denial when starting a DSL connection (F11 Rawhide)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: ppp (Show other bugs)
11
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Skala
Fedora Extras Quality Assurance
:
: 554626 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-03 07:27 EDT by Viktor Erdelyi
Modified: 2014-11-09 17:31 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-06 02:34:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Viktor Erdelyi 2009-05-03 07:27:18 EDT
Summary:

SELinux is preventing consoletype (consoletype_t) "read write" pppd_t.

Detailed Description:

SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consoletype_t:s0
Target Context                system_u:system_r:pppd_t:s0
Target Objects                socket [ packet_socket ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          sierravista.inf.elte.hu
Source RPM Packages           initscripts-8.94-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-23.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     sierravista.inf.elte.hu
Platform                      Linux sierravista.inf.elte.hu
                              2.6.29.1-111.fc11.x86_64 #1 SMP Fri Apr 24
                              10:57:09 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Sun 03 May 2009 12:43:23 PM CEST
Last Seen                     Sun 03 May 2009 01:15:10 PM CEST
Local ID                      2ec63e9e-e72b-441d-867b-368b643f1d19
Line Numbers                  

Raw Audit Messages            

node=sierravista.inf.elte.hu type=AVC msg=audit(1241349310.44:27177): avc:  denied  { read write } for  pid=2275 comm="consoletype" path="socket:[18205]" dev=sockfs ino=18205 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket

node=sierravista.inf.elte.hu type=SYSCALL msg=audit(1241349310.44:27177): arch=c000003e syscall=59 success=yes exit=0 a0=213f010 a1=213f070 a2=213eb80 a3=7fffae654be0 items=0 ppid=2274 pid=2275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-05-04 12:24:06 EDT
Looks like ppp is leaking a file descritptor to the packet_socket.

You can ignore this, since nothing is actually being broken.

ppp 

should call 

fcntl(fd, F_SETFD, FD_CLOEXEC) 

On all open fds and sockets before execing any other process.
Comment 2 Juergen Wieczorek 2009-05-10 05:40:59 EDT
I am getting the same AVC denial anytime I do a DSL dialup (selinux-policy-3.6.12-28.fc11).
Your explanation is crap.
If I am supposed to ignore this, why doesn't SELinux.
Comment 3 Daniel Walsh 2009-05-11 08:29:58 EDT
This is a leaked file descriptor in the ppp.  SELinux is protecting you by closing the file descriptor And allowing your ppp to run.  By telling you that you could ignore it, meant that it is not a sign of a break in, but a bug in ppp.

If you want SELInux to ingore the error, you can write  custom policy.

# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

You can also use the setroubleshoot app and tell it to ignore the error until ppp fixes their bug.
Comment 4 Bug Zapper 2009-06-09 11:03:34 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Martin Ellison 2009-06-25 23:14:57 EDT
It must be the world's most incomprehensible error message, despite strong competition. Is this English? Also, what does it mean, 'write a custom policy'? Is this documented anywhere? Why not say so? Could you provide step-by-step instructions (in the SELinux messages)? I am getting the message every day too.
Comment 6 Daniel Walsh 2009-06-26 11:27:32 EDT
# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Those are the steps.  These two commands will generate local customization/policy to allow the rules SELinux is complaining about.

http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/

Is the users guide.

The tool is trying to figure out what the error message means.  And it can not. What is actually happening is ppp has a bug that is leaking a file descriptor and selinux is reporting the fact.  I have given you two ways to quiet the selinux complaint, either tell selinux to allow the access or tell setroubleshoot to ignore the error.  Hopefully ppp developers will fix their code to not leak the descriptor.
Comment 7 Jiri Skala 2009-11-09 14:52:02 EST
Hi,
I can't reproduce AVC denial. I tried to make changes mentioned by Daniel. Could you test it if there is some progress?
The scratch build is available in koji: 

http://koji.fedoraproject.org/koji/taskinfo?taskID=1796872

Thanks, regards

Jiri
Comment 9 Jiri Skala 2010-01-06 02:34:29 EST
added patch that sets close-on-exec for file and sockets. More info:

https://bugzilla.redhat.com/show_bug.cgi?id=541107#c15
Comment 10 Jiri Skala 2010-01-13 03:50:51 EST
*** Bug 507103 has been marked as a duplicate of this bug. ***
Comment 11 Jiri Skala 2010-01-13 03:55:35 EST
*** Bug 554626 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.