Bug 699240 - SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock
Summary: SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: 0xFFFF
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-24 14:29 UTC by Bonzo1834
Modified: 2011-04-28 14:43 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-04-28 14:43:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
SETroubleshoot Details Window output (1.33 KB, application/x-gzip)
2011-04-24 14:29 UTC, Bonzo1834 		no flags Details
SE alert with new policy (3.09 KB, text/plain)
2011-04-27 13:10 UTC, Bonzo1834 		no flags Details
View All

Description Bonzo1834 2011-04-24 14:29:33 UTC 
Created attachment 494530 [details]
SETroubleshoot Details Window output

Description of problem:
SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock

mobile broadband connection needs pppd to have read access to this directory.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. https://bugzilla.redhat.com/show_bug.cgi?id=698975#c3
2.
3.
  
Actual results:


Expected results:


Additional info: attaching SETroubleshoot Details Window output as reporting from SELinux Alert browser does not work (bug report option is greyed out).
Comment 1 Daniel Walsh 2011-04-25 13:26:46 UTC 
restorecon -v /var/lock
Comment 2 Bonzo1834 2011-04-25 15:34:07 UTC 
didn't help, so I proceeded to the next suggestion:

grep pppd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

this worked
Comment 3 Daniel Walsh 2011-04-25 15:37:45 UTC 
ls -ldZ /var/lock
Comment 4 Santiago Lunar 2011-04-26 13:12:25 UTC 
Tried with:

grep pppd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

And also worked like a charm :)
Comment 5 Bonzo1834 2011-04-26 16:32:50 UTC 
$ ls -ldZ /var/lock
lrwxrwxrwx. root root system_u:object_r:var_t:s0       /var/lock -> ../run/lock
Comment 6 Daniel Walsh 2011-04-26 16:50:49 UTC 
matchpathcon /var/lock
Comment 7 Bonzo1834 2011-04-27 06:59:46 UTC 
$ matchpathcon /var/lock
/var/lock	system_u:object_r:var_lock_t:s0
Comment 8 Miroslav Grepl 2011-04-27 09:18:07 UTC 
Could you try it with the latest policy

http://koji.fedoraproject.org/koji/buildinfo?buildID=240947
Comment 9 Bonzo1834 2011-04-27 13:10:12 UTC 
Created attachment 495227 [details]
SE alert with new policy
Comment 10 Bonzo1834 2011-04-27 13:10:51 UTC 
OK, did the following:

$ semodule -d mypol
to disable the self-built module

Then installed 
selinux-policy-3.9.16-18.fc15.noarch.rpm
selinux-policy-doc-3.9.16-18.fc15.noarch.rpm
selinux-policy-minimum-3.9.16-18.fc15.noarch.rpm
selinux-policy-mls-3.9.16-18.fc15.noarch.rpm
selinux-policy-targeted-3.9.16-18.fc15.noarch.rpm
from koji

tried to connect with mobile broadband => no joy:

/var/log/messages:
Apr 27 14:56:38 a1 pppd[2182]: Can't create lock file /var/lock/LCK..ttyUSB0: Permission denied
Apr 27 14:56:42 a1 setroubleshoot: SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock. For complete SELinux me
ssages. run sealert -l e1731787-f04d-4b19-ba1c-160c11e8b91b

I attached the sealert (sealert_new.txt) in comment 9, it shows that selinux-policy-3.9.16-18.fc15 is now used.

Also tried a reboot, but that didn't help either.
Comment 11 Miroslav Grepl 2011-04-27 13:18:51 UTC 
Ok, try to run

# restorecon -Rv /var
Comment 12 Bonzo1834 2011-04-28 14:39:06 UTC 
Yes! restorecon did the trick, it's working now

Thank you!
Note You need to log in before you can comment on or make changes to this bug.