Résumé: SELinux is preventing /usr/sbin/pppd "read write" access on pppd2.tdb. Description détaillée: SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Informations complémentaires: Contexte source system_u:system_r:pppd_t:s0 Contexte cible unconfined_u:object_r:var_run_t:s0 Objets du contexte pppd2.tdb [ file ] source pppd Chemin de la source /usr/sbin/pppd Port <Inconnu> Hôte (removed) Paquetages RPM source ppp-2.4.4-13.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-73.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin catchall Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686 Compteur d'alertes 1 Première alerte ven. 29 janv. 2010 17:28:34 CET Dernière alerte ven. 29 janv. 2010 17:28:34 CET ID local c74e66c0-e861-404c-9043-528ba912c2b4 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1264782514.170:734): avc: denied { read write } for pid=3237 comm="pppd" name="pppd2.tdb" dev=dm-1 ino=564021 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264782514.170:734): arch=40000003 syscall=5 success=no exit=-13 a0=1f6513 a1=42 a2=1a4 a3=0 items=0 ppid=1329 pid=3237 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,catchall,pppd,pppd_t,var_run_t,file,read,write audit2allow suggests: #============= pppd_t ============== allow pppd_t var_run_t:file { read write };
The error appeared after I tried to use my phone with bluetooth and network manager ( with blueman ). Network-manager showed me a wizard to enter the required data ( APN, provider, country ), the APN was not listed so I had to enter it by hand ( in case this is important ). I used Dial Up Networking to connect to my phone. The connection failed just at the same time the selinux icon appeared. According to the log : Jan 29 17:28:38 akroma pppd[3272]: Fatal signal 11 Jan 29 17:28:38 akroma pppd[3272]: ioctl (SIOCGIFFLAGS): Bad file descriptor (line 2224) Jan 29 17:28:38 akroma setroubleshoot: SELinux is preventing /usr/sbin/pppd "read write" access on pppd2.tdb. For complete SELinux messages. run sealert -l c74e66c0-e861-404c-9043-528ba912c2b4 Jan 29 17:28:39 akroma pppd[3272]: Exit. Jan 29 17:28:39 akroma pppd[3237]: Modem hangup Jan 29 17:28:39 akroma pppd[3237]: Connect time 0.1 minutes. Jan 29 17:28:39 akroma pppd[3237]: Sent 0 bytes, received 0 bytes. Jan 29 17:28:39 akroma pppd[3276]: Fatal signal 11 Jan 29 17:28:40 akroma pppd[3276]: Exit. Jan 29 17:28:40 akroma pppd[3237]: Connection terminated. the file pppd is trying to open is in /var/run : Jan 29 17:28:34 akroma pppd[3237]: Warning: couldn't open ppp database /var/run/pppd2.tdb
According to this doc : http://ppp.samba.org/ppp/pppd.html#sect9 , the access to the file is normal. I was connected to a ethernet cable while testing my phone connection, but I doubt this had a impact.
restorecon /var/run/pppd2.tdb Will fix. This is a labeling issue. Do you know how this file was created? If it was created via ppp it should have been created with the correct label.
The file doesn't exist at the moment . If I create it and use restorecon, the context seems ok : $ ls -lZ /var/run/pppd2.tdb -rw-r--r--. root root system_u:object_r:pppd_var_run_t:s0 /var/run/pppd2.tdb If I remove it after and run nm to create the file, it create it ok too. However, I tried to use wvdial before using network-manager, and after trying again it seems that wvdial is the cause of the problem : $ ls -lZ /var/run/pppd2.tdb -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /var/run/pppd2.tdb To reproduce, I have removed the file, and run wvdial as root ( as it need access to /dev/rfcommX, and to run pppd ), with this configuration ( there is nothing special in it, but this may help you to reproduce ) : $ cat /etc/wvdial.conf [Dialer Defaults] Modem = /dev/rfcomm0 Baud = 115200 FLOWCONTROL = NOFLOW Init1 = AT+CGDCONT=1,"IP","wapsfr" Init2 = AT&F&D2&C1S0=0 Dial Command = ATD Phone = *99# Username = wapsfr Password = wapsfr ask password = 0 stupid mode = 1 Auto DNS = off ( the configuration file is likely to be false, as the Phone directive is wrong, it should be another number ). $ sudo wvdial --> WvDial: Internet dialer version 1.60 --> Cannot get information for serial port. --> Initializing modem. --> Sending: AT+CGDCONT=1,"IP","wapsfr" OK --> Sending: AT&F&D2&C1S0=0 OK --> Modem initialized. --> Sending: ATD*99# --> Waiting for carrier. ATD*99# CONNECT ~[7f]}#@!}!} } }2}#}$@#}!}$}%\}"}&} }*} } g}%~ --> Carrier detected. Starting PPP immediately. --> Starting pppd at Mon Feb 1 19:43:05 2010 --> Pid of pppd: 16350 --> Using interface ppp0 --> pppd: �G. �M. --> pppd: �G. �M. --> pppd: �G. �M. --> pppd: �G. �M. --> pppd: �G. �M. --> pppd: �G. �M. --> Disconnecting at Mon Feb 1 19:43:13 2010 --> The PPP daemon has died: A modem hung up the phone (exit code = 16) /dev/rfcomm0 can be created by blueman, or by rfcomm connect.
Can we move this file into the /var/run/ppp directory? If it was there, the file would get created with the correct context no matter how it got created.
Indeed, after patching pppd to place the file there, this is fixed : $ ls -lZ /var/run/ppp/pppd2.tdb -rw-r--r--. root root unconfined_u:object_r:pppd_var_run_t:s0 /var/run/ppp/pppd2.tdb Here is the patch I used, against latest cvs packages, tested on fedora 12.
Created attachment 388310 [details] patch to use a different path for pppd2.tdb
*** Bug 563864 has been marked as a duplicate of this bug. ***
ppp-2.4.5-5.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/ppp-2.4.5-5.fc12
*** Bug 565000 has been marked as a duplicate of this bug. ***
ppp-2.4.5-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.