SELinux is preventing /usr/sbin/pppd from 'read' accesses on the file LCK..ttyUSB3. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pppd should be allowed read access on the LCK..ttyUSB3 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pppd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pppd_t:s0 Target Context system_u:object_r:var_lock_t:s0 Target Objects LCK..ttyUSB3 [ file ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host (removed) Source RPM Packages ppp-2.4.5-16.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.39-1.fc16.x86_64 #1 SMP Sat May 21 02:34:01 UTC 2011 x86_64 x86_64 Alert Count 13 First Seen Thu 26 May 2011 07:11:40 PM IST Last Seen Fri 27 May 2011 08:34:08 AM IST Local ID fb50193d-ce3e-4162-a1a4-01dc3648135a Raw Audit Messages type=AVC msg=audit(1306465448.881:1476): avc: denied { read } for pid=21535 comm="pppd" name="LCK..ttyUSB3" dev=tmpfs ino=640409 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1306465448.881:1476): arch=x86_64 syscall=open success=no exit=EACCES a0=7f9546d90080 a1=80000 a2=0 a3=7fff6fec9190 items=0 ppid=814 pid=21535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pppd exe=/usr/sbin/pppd subj=system_u:system_r:pppd_t:s0 key=(null) Hash: pppd,pppd_t,var_lock_t,file,read audit2allow #============= pppd_t ============== allow pppd_t var_lock_t:file read; audit2allow -R #============= pppd_t ============== allow pppd_t var_lock_t:file read;
duplicate of: 707977
*** Bug 708315 has been marked as a duplicate of this bug. ***
F15 needs type pppd_lock_t; files_lock_file(pppd_lock_t) allow pppd_t pppd_lock_t:file manage_file_perms; files_lock_filetrans(pppd_t, pppd_lock_t, file) at least.
Those rules seem to be already in the master branch. There is however no file context specification for pppd_lock_t files.
# rpm -ql ppp |grep lock returns nothing. Jiri, could you look at this? /var/lock/ppp directory owned by ppp would be fine.
Could my F15 x86_64 SELinux issue with pppd could be added to this. I am getting this with my Gobi 2000 3G: $ sudo grep pppd /var/log/audit/audit.log type=AVC msg=audit(1306678539.894:56): avc: denied { read } for pid=1951 comm="pppd" name="lock" dev=dm-1 ino=2903 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1306678539.894:56): arch=c000003e syscall=2 success=no exit=-13 a0=7f2c7047a080 a1=800c2 a2=1a4 a3=7fffbfe29170 items=0 ppid=830 pid=1951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null) Which translates to a module of --snip-- module pppd 1.0; require { type var_t; type pppd_t; class lnk_file read; } #============= pppd_t ============== allow pppd_t var_t:lnk_file read; --snip-- After adding that I was able to get my 3G working on my Thinkpad Edge. But if it's preferable that I put this into a new bug, I'll do that.
(In reply to comment #6) > Could my F15 x86_64 SELinux issue with pppd could be added to this. I am > getting this with my Gobi 2000 3G: > > $ sudo grep pppd /var/log/audit/audit.log > type=AVC msg=audit(1306678539.894:56): avc: denied { read } for pid=1951 > comm="pppd" name="lock" dev=dm-1 ino=2903 scontext=system_u:system_r:pppd_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > type=SYSCALL msg=audit(1306678539.894:56): arch=c000003e syscall=2 success=no > exit=-13 a0=7f2c7047a080 a1=800c2 a2=1a4 a3=7fffbfe29170 items=0 ppid=830 > pid=1951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" > subj=system_u:system_r:pppd_t:s0 key=(null) > > Which translates to a module of > --snip-- > module pppd 1.0; > > require { > type var_t; > type pppd_t; > class lnk_file read; > } > > #============= pppd_t ============== > allow pppd_t var_t:lnk_file read; > --snip-- > > After adding that I was able to get my 3G working on my Thinkpad Edge. But if > it's preferable that I put this into a new bug, I'll do that. This should be another issue which can be fixed by running : restorecon -R -v /var the /var/lock symlink was mislabelled. Seems like some quirk in restorecon where restorecon -R -v -F /var/lock will not affect the /var/lock symlink, where restorecon -R -v /var will.
always prefix your local loadable modules. You almost overwritten the upstream ppp module. restorecon -R -v /var semodule -r pppd
Actually i do suspect the initial issue is also due to the mislabelled /var/lock
Thanks, running # restorecon -R -v /var fixed my problem.
ppp-2.4.5-17.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/ppp-2.4.5-17.fc15
Package ppp-2.4.5-17.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ppp-2.4.5-17.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/ppp-2.4.5-17.fc15 then log in and leave karma (feedback).
ppp-2.4.5-17.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.