Summary: SELinux is preventing sh (pptp_t) "dac_override" pptp_t. Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source sh Source Path /bin/bash Port <Unknown> Host cave.xxxxxxxxxxx.com Source RPM Packages bash-4.0-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-78.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name cave.xxxxxxxxxxx.com Platform Linux cave.xxxxxxxxxxx.com 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 01:06:26 EDT 2009 x86_64 x86_64 Alert Count 194 First Seen Sun 23 Aug 2009 10:32:46 PM EEST Last Seen Mon 24 Aug 2009 10:11:26 AM EEST Local ID 2566b98c-716b-494b-9639-3c3db79b9f8e Line Numbers Raw Audit Messages node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc: denied { dac_override } for pid=4077 comm="sh" capability=1 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability node=cave.xxxxxxxxxxx.com type=AVC msg=audit(1251097886.860:30993): avc: denied { dac_read_search } for pid=4077 comm="sh" capability=2 scontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 tclass=capability node=cave.xxxxxxxxxxx.com type=SYSCALL msg=audit(1251097886.860:30993): arch=c000003e syscall=4 success=no exit=-13 a0=4a1773 a1=7fffb2089160 a2=7fffb2089160 a3=2 items=0 ppid=4075 pid=4077 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:pptp_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable):11
Seems reasonable.
You can allow this for now using # grep pptp /var/log/audit/audit.log | audit2allow -M mypptp # semodule -i mypptp.pp
Fixed in selinux-policy-3.6.12-80.fc11
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.