Bug 576059 - SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t). So, VPN connection fails
SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t). So, VPN conne...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-23 02:32 EDT by Gaven
Modified: 2012-10-15 11:00 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Due to an incorrect SELinux policy, an attempt to connect to VPN from NetworkManager could fail. With this update, the relevant policy has been corrected, and such connections can now be established as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:48:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gaven 2010-03-23 02:32:50 EDT
Description of problem:
After testing a new VPN connection in NetworkManager on RHEL5 the VPN connection failed and I received a SELinux message AVC denial:
SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t).
I've tried restore and relabeling.


Version-Release number of selected component (if applicable):
NetworkManager-pptp.x86_64 1:0.7.0-2.svn16.el5

How reproducible:
Always.

Steps to Reproduce:
1. Start VPN connection

Additional info:

SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t).

Source Context                system_u:system_r:pptp_t
Target Context                system_u:object_r:proc_t
Target Objects                ./meminfo [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          hostname
Source RPM Packages           bash-3.2-24.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     hostname
Platform                      Linux hostname
                              2.6.18-164.15.1.el5 #1 SMP Mon Mar 1 10:56:08 EST
                              2010 x86_64 x86_64
Comment 1 Jerry Amundson 2010-08-12 15:00:17 EDT
Me too...


Summary:

SELinux is preventing sh (pptp_t) "read" to ./meminfo (proc_t).

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./meminfo,

restorecon -v './meminfo'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pptp_t
Target Context                system_u:object_r:proc_t
Target Objects                ./meminfo [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          jerrya-D600w
Source RPM Packages           bash-3.2-24.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     jerrya-D600w
Platform                      Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue
                              Aug 10 19:09:06 EDT 2010 i686 i686
Alert Count                   2
First Seen                    Thu 12 Aug 2010 01:38:18 PM CDT
Last Seen                     Thu 12 Aug 2010 01:38:18 PM CDT
Local ID                      0207d3b2-5ba5-4463-b353-192eba18577c
Line Numbers                  

Raw Audit Messages            

host=jerrya-D600w type=AVC msg=audit(1281638298.209:57): avc:  denied  { read } for  pid=5216 comm="sh" name="meminfo" dev=proc ino=-268435454 scontext=user_u:system_r:pptp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

host=jerrya-D600w type=SYSCALL msg=audit(1281638298.209:57): arch=40000003 syscall=5 success=no exit=-13 a0=c6b31a a1=0 a2=1b6 a3=97d0a60 items=0 ppid=5209 pid=5216 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="sh" exe="/bin/bash" subj=user_u:system_r:pptp_t:s0 key=(null)
Comment 2 Daniel Walsh 2010-08-13 14:29:06 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 3 Jerry Amundson 2010-08-27 12:07:04 EDT
Summary:

SELinux is preventing sh (pptp_t) "getattr" to /proc/meminfo (proc_t).

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/meminfo,

restorecon -v '/proc/meminfo'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:pptp_t
Target Context                system_u:object_r:proc_t
Target Objects                /proc/meminfo [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          jerrya-D600w
Source RPM Packages           bash-3.2-24.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     jerrya-D600w
Platform                      Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue
                              Aug 10 19:09:06 EDT 2010 i686 i686
Alert Count                   2
First Seen                    Fri 27 Aug 2010 10:08:09 AM CDT
Last Seen                     Fri 27 Aug 2010 10:08:09 AM CDT
Local ID                      a243a929-ca92-4ba2-b8d5-59edc6b8f6cd
Line Numbers                  

Raw Audit Messages            

host=jerrya-D600w type=AVC msg=audit(1282921689.910:337): avc:  denied  { getattr } for  pid=13701 comm="sh" path="/proc/meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:pptp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

host=jerrya-D600w type=SYSCALL msg=audit(1282921689.910:337): arch=40000003 syscall=197 success=no exit=-13 a0=0 a1=bfaf67fc a2=c97ff4 a3=81c2a60 items=0 ppid=13697 pid=13701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:pptp_t:s0 key=(null)
Comment 4 Jerry Amundson 2010-08-27 15:11:03 EDT
This one came up when the connection timed out, and disconnected itself...


Summary:

SELinux is preventing pppd (pppd_t) "signal" to <Unknown> (initrc_t).

Detailed Description:

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:pppd_t
Target Context                system_u:system_r:initrc_t
Target Objects                None [ process ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          jerrya-D600w
Source RPM Packages           ppp-2.4.4-2.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jerrya-D600w
Platform                      Linux jerrya-D600w 2.6.18-194.11.1.el5 #1 SMP Tue
                              Aug 10 19:09:06 EDT 2010 i686 i686
Alert Count                   1
First Seen                    Fri 27 Aug 2010 01:31:19 PM CDT
Last Seen                     Fri 27 Aug 2010 01:31:19 PM CDT
Local ID                      cac36ca2-c4f8-41c4-9f74-ccde7ac9bb32
Line Numbers                  

Raw Audit Messages            

host=jerrya-D600w type=AVC msg=audit(1282933879.493:366): avc:  denied  { signal } for  pid=14446 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process

host=jerrya-D600w type=SYSCALL msg=audit(1282933879.493:366): arch=40000003 syscall=37 success=no exit=-13 a0=3968 a1=f a2=3ba964 a3=82e0ce0 items=0 ppid=1 pid=14446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)
Comment 5 Miroslav Grepl 2010-08-31 04:27:02 EDT
Jerry,
what process is running as initrc_t?

# ps -eZ | grep initrc
Comment 6 Jerry Amundson 2010-08-31 12:11:53 EDT
$ ps -eZ | grep initrc
system_u:system_r:initrc_t       3464 ?        00:00:00 nm-dispatcher.a
Comment 7 Miroslav Grepl 2010-09-01 05:14:59 EDT
Ok, 
could you try to execute

chcon -t NetworkManager_exec_t /usr/libexec/nm-dispatcher.action
Comment 9 Miroslav Grepl 2010-09-09 09:21:57 EDT
Fixed in selinux-policy-2.4.6-283.el5.noarch
Comment 11 Milos Malik 2010-11-29 03:09:59 EST
Hello Gaven and Jerry,

could you please run your scenarios again with selinux-policy which is available at following URL?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Thanks
Comment 13 Jaromir Hradilek 2011-01-05 11:11:09 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to an incorrect SELinux policy, an attempt to connect to VPN from NetworkManager could fail. With this update, the relevant policy has been corrected, and such connections can now be established as expected.
Comment 15 errata-xmlrpc 2011-01-13 16:48:39 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.