Bug 518918 - problem access pptp client
Summary: problem access pptp client
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: SeLinux Policy
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-24 07:22 UTC by Alexander
Modified: 2009-08-28 21:56 UTC (History)
2 users (show)

Fixed In Version: 3.6.12-80.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-08-28 21:56:43 UTC
Type: ---

Attachments (Terms of Use)

Description Alexander 2009-08-24 07:22:15 UTC

SELinux is preventing sh (pptp_t) "dac_override" pptp_t.

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          cave.xxxxxxxxxxx.com
Source RPM Packages           bash-4.0-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     cave.xxxxxxxxxxx.com
Platform                      Linux cave.xxxxxxxxxxx.com
                     #1 SMP Sat Aug 15
                              01:06:26 EDT 2009 x86_64 x86_64
Alert Count                   194
First Seen                    Sun 23 Aug 2009 10:32:46 PM EEST
Last Seen                     Mon 24 Aug 2009 10:11:26 AM EEST
Local ID                      2566b98c-716b-494b-9639-3c3db79b9f8e
Line Numbers                  

Raw Audit Messages            

node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc:  denied  { dac_override } for  pid=4077 comm="sh" capability=1 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability

node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc:  denied  { dac_read_search } for  pid=4077 comm="sh" capability=2 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability

node=cave.xxxxxxxxxxx.com type=SYSCALL msg=audit(1251097886.860:30993): arch=c000003e syscall=4 success=no exit=-13 a0=4a1773 a1=7fffb2089160 a2=7fffb2089160 a3=2 items=0 ppid=4075 pid=4077 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):11

Comment 1 Daniel Walsh 2009-08-24 13:26:35 UTC
Seems reasonable.

Comment 2 Miroslav Grepl 2009-08-24 13:40:20 UTC
You can allow this for now using

# grep pptp /var/log/audit/audit.log | audit2allow -M mypptp
# semodule -i mypptp.pp

Comment 3 Miroslav Grepl 2009-08-24 15:38:36 UTC
Fixed in selinux-policy-3.6.12-80.fc11

Comment 4 Fedora Update System 2009-08-24 15:44:35 UTC
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.

Comment 5 Fedora Update System 2009-08-25 04:26:18 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895

Comment 6 Fedora Update System 2009-08-28 21:56:16 UTC
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.