Bug 672054 - AVCs while using xl2tpd
Summary: AVCs while using xl2tpd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-23 15:48 UTC by Ruben Kerkhof
Modified: 2011-03-17 18:49 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-89.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-17 18:49:12 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ruben Kerkhof 2011-01-23 15:48:19 UTC 
Description of problem:

Opening a vpn connection results in the following AVCs:

type=AVC msg=audit(1295797298.171:39383): avc:  denied  { execute } for  pid=19532 comm="pppd" name="unix_chkpwd" dev=vd
a1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1295797298.171:39383): avc:  denied  { read open } for  pid=19532 comm="pppd" name="unix_chkpwd" dev=
vda1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1295797298.171:39383): avc:  denied  { execute_no_trans } for  pid=19532 comm="pppd" path="/sbin/unix
_chkpwd" dev=vda1 ino=14436 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file

I'm using xl2tpd and pam authentication.
Comment 1 Daniel Walsh 2011-01-24 15:33:31 UTC 
Looks like we need to add

auth_domtrans_chk_passwd(pppd_t)
Comment 2 Miroslav Grepl 2011-01-24 15:39:21 UTC 
Ruben,
if you create the following local policy 

# cat mypol.te
policy_module(mypol,1.0)

require{
 type pppd_t;
}

auth_domtrans_chk_passwd(pppd_t)



and then execute

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp


does it work?
Comment 3 Ruben Kerkhof 2011-01-24 16:30:00 UTC 
Hi Miroslav,

Yes, this works great, thanks!

There are only 2 AVCs left now:
type=AVC msg=audit(1295885268.911:46236): avc:  denied  { write } for  pid=12710 comm="pppd" name="wtmp" dev=vda1 ino=27047 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:o
bject_r:wtmp_t:s0 tclass=file

and 

type=AVC msg=audit(1295885268.902:46234): avc:  denied  { setsched } for  pid=12710 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=pro
cess
Comment 4 Miroslav Grepl 2011-01-27 13:11:06 UTC 
Fixed in selinux-policy-3.7.19-87.fc13
Comment 5 Fedora Update System 2011-02-04 10:31:45 UTC 
selinux-policy-3.7.19-89.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 6 Fedora Update System 2011-02-04 19:48:51 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 7 Fedora Update System 2011-03-17 18:48:31 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.