569986 – SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd (pppd_exec_t).

Bug 569986 - SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd (pppd_exec_t).

Summary: SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd (pp...

Keywords:
Status:	CLOSED DUPLICATE of bug 538428
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:eb464c06d7a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-02 21:11 UTC by Vinicius Borges da Silva
Modified:	2010-03-03 04:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-03-02 21:22:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vinicius Borges da Silva 2010-03-02 21:11:48 UTC

Sumário:

SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd
(pppd_exec_t).

Descrição detalhada:

SELinux denied access requested by ifup-ppp. It is not expected that this access
is required by ifup-ppp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permitindo acesso:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/sbin/pppd,

restorecon -v '/usr/sbin/pppd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1
                              023
Contexto de destino           system_u:object_r:pppd_exec_t:s0
Objetos de destino            /usr/sbin/pppd [ file ]
Origem                        ifup-ppp
Caminho da origem             /bin/bash
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         bash-3.2-22.fc9
Pacotes RPM de destino        ppp-2.4.4-6.fc9
RPM da política              selinux-policy-3.3.1-42.fc9
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall_file
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.25-14.fc9.i686 #1
                              SMP Thu May 1 06:28:41 EDT 2008 i686 i686
Contador de alertas           3
Visto pela primeira vez em    Dom 13 Dez 2009 21:39:45 BRST
Visto pela última vez em     Dom 13 Dez 2009 21:42:25 BRST
ID local                      690fdb31-f546-4ad2-9f7a-ed53b9e9aeb1
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1260747745.893:20): avc:  denied  { getattr } for  pid=2761 comm="ifup-ppp" path="/usr/sbin/pppd" dev=sda5 ino=1324531 scontext=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1260747745.893:20): arch=40000003 syscall=195 success=no exit=-13 a0=9049a10 a1=bfffa89c a2=2b1ff4 a3=9049a12 items=0 ppid=2512 pid=2761 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-ppp" exe="/bin/bash" subj=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall_file,ifup-ppp,usernetctl_t,pppd_exec_t,file,getattr
audit2allow suggests:libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 to sid

Comment 1 Daniel Walsh 2010-03-02 21:22:53 UTC

You are reporting an F12 bug with F9 policy

*** This bug has been marked as a duplicate of bug 538428 ***

Note You need to log in before you can comment on or make changes to this bug.