Bug 585804 - SELinux is preventing /usr/sbin/pppd "read" access on /var/lock/LCK..ttyUSB0.
SELinux is preventing /usr/sbin/pppd "read" access on /var/lock/LCK..tty...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2010-04-26 01:49 EDT by Cássio Magno
Modified: 2010-11-17 10:57 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-11-17 10:57:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Cássio Magno 2010-04-26 01:49:50 EDT

SELinux is preventing /usr/sbin/pppd "read" access on /var/lock/LCK..ttyUSB0.

Descrição detalhada:

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Informações adicionais:

Contexto de origem            system_u:system_r:pppd_t:s0
Contexto de destino           unconfined_u:object_r:var_lock_t:s0
Objetos de destino            /var/lock/LCK..ttyUSB0 [ file ]
Origem                        pppd
Caminho da origem             /usr/sbin/pppd
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         ppp-2.4.5-8.fc12
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-110.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall
Nome da máquina              (removed)
Plataforma                    Linux (removed)
                              #1 SMP Tue Apr 13 15:51:45 UTC 2010 i686 i686
Contador de alertas           2
Visto pela primeira vez em    Qua 21 Abr 2010 15:37:53 BRT
Visto pela última vez em     Qua 21 Abr 2010 15:38:35 BRT
ID local                      9e143e27-9cca-48bb-abaa-d432055484a8
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1271875115.334:27004): avc:  denied  { read } for  pid=7642 comm="pppd" name="LCK..ttyUSB0" dev=sda2 ino=131675 scontext=system_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1271875115.334:27004): arch=40000003 syscall=5 success=no exit=-13 a0=e16900 a1=0 a2=0 a3=e16900 items=0 ppid=1290 pid=7642 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)

Hash String generated from  catchall,pppd,pppd_t,var_lock_t,file,read
audit2allow suggests:

#============= pppd_t ==============
allow pppd_t var_lock_t:file read;
Comment 1 Daniel Walsh 2010-04-26 09:52:10 EDT
Is pppd being started when you insert a usb stick?  

Reassigning to pppd people to see if they have an idea.  I have a feeling you can ignore this for now.
Comment 2 Jiri Skala 2010-04-27 08:00:50 EDT
Dan, this is good question... I didn't observe starting pppd when USB stick is inserted.

Well, I'd like to forward this question to reporter. Please, could you answer comment #1?
Comment 3 Jiri Skala 2010-07-13 08:49:12 EDT
I don't currently see any possible action from ppp side therefore switching back to selinux-policy.
Comment 4 Daniel Walsh 2010-08-19 07:35:05 EDT
Are you still seeing this problem?
Comment 5 Bug Zapper 2010-11-03 12:18:58 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 Lech 2010-11-10 22:20:55 EST
If it's closed and "not a bug" then why is it preventing my mobile broadband connection from working? What's the fix?

I'm running F14.
Comment 7 Daniel Walsh 2010-11-11 09:30:14 EST

could you try this

# semanage permissive -a pppd_t

Then try your mobile broadand.

When you are done, attach the output of

ausearch -m avc -ts recent
Comment 8 michiel 2010-11-16 07:14:57 EST
F14 has /var/lock root:root

should unpoeterred: root:lock with group rwx

works for rxtx

maybe this has anything to do with mobile-connection?
Comment 9 Lech 2010-11-16 19:39:44 EST
Hi Daniel,

Thanks, I changed the SELinux settings graphically to permissive (and have since disabled SELinux anyway), which seemed to fix the problem in my case.

Note You need to log in before you can comment on or make changes to this bug.