Description of problem: After testing a new VPN connection in NetworkManager on RHEL5 the VPN connection failed and I received a SELinux message AVC denial: SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t). I've tried restore and relabeling. Version-Release number of selected component (if applicable): NetworkManager-pptp.x86_64 1:0.7.0-2.svn16.el5 How reproducible: Always. Steps to Reproduce: 1. Start VPN connection Additional info: SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t). Source Context system_u:system_r:pptp_t Target Context system_u:object_r:proc_t Target Objects ./meminfo [ file ] Source sh Source Path /bin/bash Port <Unknown> Host hostname Source RPM Packages bash-3.2-24.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.4 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name hostname Platform Linux hostname 2.6.18-164.15.1.el5 #1 SMP Mon Mar 1 10:56:08 EST 2010 x86_64 x86_64
Me too... Summary: SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t). Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./meminfo, restorecon -v './meminfo' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pptp_t Target Context system_u:object_r:proc_t Target Objects ./meminfo [ file ] Source sh Source Path /bin/bash Port <Unknown> Host jerrya-D600w Source RPM Packages bash-3.2-24.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name jerrya-D600w Platform Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:09:06 EDT 2010 i686 i686 Alert Count 2 First Seen Thu 12 Aug 2010 01:38:18 PM CDT Last Seen Thu 12 Aug 2010 01:38:18 PM CDT Local ID 0207d3b2-5ba5-4463-b353-192eba18577c Line Numbers Raw Audit Messages host=jerrya-D600w type=AVC msg=audit(1281638298.209:57): avc: denied { read } for pid=5216 comm="sh" name="meminfo" dev=proc ino=-268435454 scontext=user_u:system_r:pptp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file host=jerrya-D600w type=SYSCALL msg=audit(1281638298.209:57): arch=40000003 syscall=5 success=no exit=-13 a0=c6b31a a1=0 a2=1b6 a3=97d0a60 items=0 ppid=5209 pid=5216 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="sh" exe="/bin/bash" subj=user_u:system_r:pptp_t:s0 key=(null)
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Summary: SELinux is preventing sh (pptp_t) "getattr" to /proc/meminfo (proc_t). Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /proc/meminfo, restorecon -v '/proc/meminfo' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:pptp_t Target Context system_u:object_r:proc_t Target Objects /proc/meminfo [ file ] Source sh Source Path /bin/bash Port <Unknown> Host jerrya-D600w Source RPM Packages bash-3.2-24.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name jerrya-D600w Platform Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:09:06 EDT 2010 i686 i686 Alert Count 2 First Seen Fri 27 Aug 2010 10:08:09 AM CDT Last Seen Fri 27 Aug 2010 10:08:09 AM CDT Local ID a243a929-ca92-4ba2-b8d5-59edc6b8f6cd Line Numbers Raw Audit Messages host=jerrya-D600w type=AVC msg=audit(1282921689.910:337): avc: denied { getattr } for pid=13701 comm="sh" path="/proc/meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:pptp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file host=jerrya-D600w type=SYSCALL msg=audit(1282921689.910:337): arch=40000003 syscall=197 success=no exit=-13 a0=0 a1=bfaf67fc a2=c97ff4 a3=81c2a60 items=0 ppid=13697 pid=13701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:pptp_t:s0 key=(null)
This one came up when the connection timed out, and disconnected itself... Summary: SELinux is preventing pppd (pppd_t) "signal" to <Unknown> (initrc_t). Detailed Description: SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:pppd_t Target Context system_u:system_r:initrc_t Target Objects None [ process ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host jerrya-D600w Source RPM Packages ppp-2.4.4-2.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name jerrya-D600w Platform Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:09:06 EDT 2010 i686 i686 Alert Count 1 First Seen Fri 27 Aug 2010 01:31:19 PM CDT Last Seen Fri 27 Aug 2010 01:31:19 PM CDT Local ID cac36ca2-c4f8-41c4-9f74-ccde7ac9bb32 Line Numbers Raw Audit Messages host=jerrya-D600w type=AVC msg=audit(1282933879.493:366): avc: denied { signal } for pid=14446 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process host=jerrya-D600w type=SYSCALL msg=audit(1282933879.493:366): arch=40000003 syscall=37 success=no exit=-13 a0=3968 a1=f a2=3ba964 a3=82e0ce0 items=0 ppid=1 pid=14446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)
Jerry, what process is running as initrc_t? # ps -eZ | grep initrc
$ ps -eZ | grep initrc system_u:system_r:initrc_t 3464 ? 00:00:00 nm-dispatcher.a
Ok, could you try to execute chcon -t NetworkManager_exec_t /usr/libexec/nm-dispatcher.action
Fixed in selinux-policy-2.4.6-283.el5.noarch
Hello Gaven and Jerry, could you please run your scenarios again with selinux-policy which is available at following URL? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Thanks
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Due to an incorrect SELinux policy, an attempt to connect to VPN from NetworkManager could fail. With this update, the relevant policy has been corrected, and such connections can now be established as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html