Summary: SELinux is preventing consoletype (consoletype_t) "read write" pppd_t. Detailed Description: SELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consoletype_t:s0 Target Context system_u:system_r:pppd_t:s0 Target Objects socket [ packet_socket ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host sierravista.inf.elte.hu Source RPM Packages initscripts-8.94-1 Target RPM Packages Policy RPM selinux-policy-3.6.12-23.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name sierravista.inf.elte.hu Platform Linux sierravista.inf.elte.hu 2.6.29.1-111.fc11.x86_64 #1 SMP Fri Apr 24 10:57:09 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Sun 03 May 2009 12:43:23 PM CEST Last Seen Sun 03 May 2009 01:15:10 PM CEST Local ID 2ec63e9e-e72b-441d-867b-368b643f1d19 Line Numbers Raw Audit Messages node=sierravista.inf.elte.hu type=AVC msg=audit(1241349310.44:27177): avc: denied { read write } for pid=2275 comm="consoletype" path="socket:[18205]" dev=sockfs ino=18205 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket node=sierravista.inf.elte.hu type=SYSCALL msg=audit(1241349310.44:27177): arch=c000003e syscall=59 success=yes exit=0 a0=213f010 a1=213f070 a2=213eb80 a3=7fffae654be0 items=0 ppid=2274 pid=2275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)
Looks like ppp is leaking a file descritptor to the packet_socket. You can ignore this, since nothing is actually being broken. ppp should call fcntl(fd, F_SETFD, FD_CLOEXEC) On all open fds and sockets before execing any other process.
I am getting the same AVC denial anytime I do a DSL dialup (selinux-policy-3.6.12-28.fc11). Your explanation is crap. If I am supposed to ignore this, why doesn't SELinux.
This is a leaked file descriptor in the ppp. SELinux is protecting you by closing the file descriptor And allowing your ppp to run. By telling you that you could ignore it, meant that it is not a sign of a break in, but a bug in ppp. If you want SELInux to ingore the error, you can write custom policy. # grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp You can also use the setroubleshoot app and tell it to ignore the error until ppp fixes their bug.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
It must be the world's most incomprehensible error message, despite strong competition. Is this English? Also, what does it mean, 'write a custom policy'? Is this documented anywhere? Why not say so? Could you provide step-by-step instructions (in the SELinux messages)? I am getting the message every day too.
# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Those are the steps. These two commands will generate local customization/policy to allow the rules SELinux is complaining about. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Is the users guide. The tool is trying to figure out what the error message means. And it can not. What is actually happening is ppp has a bug that is leaking a file descriptor and selinux is reporting the fact. I have given you two ways to quiet the selinux complaint, either tell selinux to allow the access or tell setroubleshoot to ignore the error. Hopefully ppp developers will fix their code to not leak the descriptor.
Hi, I can't reproduce AVC denial. I tried to make changes mentioned by Daniel. Could you test it if there is some progress? The scratch build is available in koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=1796872 Thanks, regards Jiri
added patch that sets close-on-exec for file and sockets. More info: https://bugzilla.redhat.com/show_bug.cgi?id=541107#c15
*** Bug 507103 has been marked as a duplicate of this bug. ***
*** Bug 554626 has been marked as a duplicate of this bug. ***