Bug 505597 - pppd denied access to PID file when launched by networkmanager
pppd denied access to PID file when launched by networkmanager
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-12 10:43 EDT by Antony
Modified: 2009-08-21 16:30 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 16:30:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output of ausearch, ps auX, sesearch. (24.78 KB, text/plain)
2009-06-12 10:43 EDT, Antony
no flags Details

  None (edit)
Description Antony 2009-06-12 10:43:17 EDT
Created attachment 347578 [details]
Output of ausearch, ps auX, sesearch.

Description of problem:
Selinux in enforcing mode denies pppd access to /var/run/pppd2.tdb; in practice, when using NetworkManager to connect to mobile broadband, AVC denials pop up and am unable to connect to mobile broadband.

Version-Release number of selected component (if applicable):
selinux-policy 3.5.13-61.fc10 (noarch)

How reproducible:
Attempt to connect to mobile broadband

Steps to Reproduce:
1. Plug in modem (I used Nokia E71 via USB) in PC Suite Mode. /dev/ttyACM0 is made available (modem).
2. Network Manager detects connection Auto Mobile Broadband (GSM) connection. Attempt to connect to this connection (with signal on phone).
3. AVC Denials should appear.
  
Actual results:
read, write, getattr, lock denied on /var/run/pppd2.tdb, networkmanager does not connect to network.

Expected results:
NetworkManager should connect to modem; pppd should be allowed to talk to its PID file. Can demonstrate this happening by setenforce 0.

Additional info:
Discussed on #fedora-selinux and was informed this was a bug. Have attached the various commands / output we disccussed as text files. It was suggested the issue was with transitions to initrc_t
Comment 1 Miroslav Grepl 2009-06-12 11:09:03 EDT
Did you run the restorecon command? 

# restorecon -R -v /var/run/ppp*
Comment 2 Antony 2009-06-12 11:23:00 EDT
No. Initially the domain was of var_run_t. I've just run the command and the new domain is pppd_var_run_t. Would this correct the issue?
Comment 3 Daniel Walsh 2009-06-12 13:53:35 EDT
Yes,

The question is how did the directory get created with the wrong context.


Did you run pppd directly?
Comment 4 Antony 2009-06-15 14:29:36 EDT
I can confirm I haven't had any problems since.

I was following a guide to try to connect to the internet through my mobile which must have been fairly old; it indicated I should use wvdial.

Just tried it with the modem attached, I first ran ls -Z | grep ppp in /var/run, then as root wvdial nokia-usb (nokia-usb being a section of wvdial.conf that tells wvdial how to call the modem). Then I ran ls -Z | grep ppp again to check, the output is:

[antony@tachyon.81 /var/run]$ ls -Z | grep pppd
drwxr-xr-x  root      root       system_u:object_r:pppd_var_run_t:s0 ppp
-rw-r--r--  root      root       unconfined_u:object_r:var_run_t:s0 pppd2.tdb

Which is where the wrong context came from... fixed as above.

From my point of view I've since discovered that directly using wvdial is the wrong way to use my modem, NetworkManager does it all and the correct context is set when using NetworkManager first. So, I can set the context correctly or just boot my system and it works correctly for my needs. I don't know if there are potential uses of wvdial which might break because of this, though?

Sorry about the delay in replying, internet has been down, ISP problems.
Comment 5 Antony 2009-08-21 16:30:10 EDT
Closing this because my problem is sorted and I don't think it's actually a bug as originally suspected... one less open bug report.

Note You need to log in before you can comment on or make changes to this bug.