Bug 505597 - pppd denied access to PID file when launched by networkmanager
Summary: pppd denied access to PID file when launched by networkmanager
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-12 14:43 UTC by Antony
Modified: 2009-08-21 20:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-21 20:30:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Output of ausearch, ps auX, sesearch. (24.78 KB, text/plain)
2009-06-12 14:43 UTC, Antony 		no flags Details
View All

Description Antony 2009-06-12 14:43:17 UTC 
Created attachment 347578 [details]
Output of ausearch, ps auX, sesearch.

Description of problem:
Selinux in enforcing mode denies pppd access to /var/run/pppd2.tdb; in practice, when using NetworkManager to connect to mobile broadband, AVC denials pop up and am unable to connect to mobile broadband.

Version-Release number of selected component (if applicable):
selinux-policy 3.5.13-61.fc10 (noarch)

How reproducible:
Attempt to connect to mobile broadband

Steps to Reproduce:
1. Plug in modem (I used Nokia E71 via USB) in PC Suite Mode. /dev/ttyACM0 is made available (modem).
2. Network Manager detects connection Auto Mobile Broadband (GSM) connection. Attempt to connect to this connection (with signal on phone).
3. AVC Denials should appear.
  
Actual results:
read, write, getattr, lock denied on /var/run/pppd2.tdb, networkmanager does not connect to network.

Expected results:
NetworkManager should connect to modem; pppd should be allowed to talk to its PID file. Can demonstrate this happening by setenforce 0.

Additional info:
Discussed on #fedora-selinux and was informed this was a bug. Have attached the various commands / output we disccussed as text files. It was suggested the issue was with transitions to initrc_t
Comment 1 Miroslav Grepl 2009-06-12 15:09:03 UTC 
Did you run the restorecon command? 

# restorecon -R -v /var/run/ppp*
Comment 2 Antony 2009-06-12 15:23:00 UTC 
No. Initially the domain was of var_run_t. I've just run the command and the new domain is pppd_var_run_t. Would this correct the issue?
Comment 3 Daniel Walsh 2009-06-12 17:53:35 UTC 
Yes,

The question is how did the directory get created with the wrong context.


Did you run pppd directly?
Comment 4 Antony 2009-06-15 18:29:36 UTC 
I can confirm I haven't had any problems since.

I was following a guide to try to connect to the internet through my mobile which must have been fairly old; it indicated I should use wvdial.

Just tried it with the modem attached, I first ran ls -Z | grep ppp in /var/run, then as root wvdial nokia-usb (nokia-usb being a section of wvdial.conf that tells wvdial how to call the modem). Then I ran ls -Z | grep ppp again to check, the output is:

[antony /var/run]$ ls -Z | grep pppd
drwxr-xr-x  root      root       system_u:object_r:pppd_var_run_t:s0 ppp
-rw-r--r--  root      root       unconfined_u:object_r:var_run_t:s0 pppd2.tdb

Which is where the wrong context came from... fixed as above.

From my point of view I've since discovered that directly using wvdial is the wrong way to use my modem, NetworkManager does it all and the correct context is set when using NetworkManager first. So, I can set the context correctly or just boot my system and it works correctly for my needs. I don't know if there are potential uses of wvdial which might break because of this, though?

Sorry about the delay in replying, internet has been down, ISP problems.
Comment 5 Antony 2009-08-21 20:30:10 UTC 
Closing this because my problem is sorted and I don't think it's actually a bug as originally suspected... one less open bug report.
Note You need to log in before you can comment on or make changes to this bug.