Bug 712136 - SELinux is preventing /usr/sbin/pppd from 'read' accesses on the lnk_file /var/lock.
Summary: SELinux is preventing /usr/sbin/pppd from 'read' accesses on the lnk_file /va...
Keywords:
Status: CLOSED DUPLICATE of bug 717161
Alias: None
Product: Fedora
Classification: Fedora
Component: 0xFFFF
Version: 15
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:6df636d5961...
: 712361 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-09 14:59 UTC by Old Uncle
Modified: 2011-10-22 07:58 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.9.16-30.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-24 03:54:36 UTC


Attachments (Terms of Use)
Output of ausearch piped into audit2allow (635 bytes, application/octet-stream)
2011-06-24 15:04 UTC, Erik M Jacobs
no flags Details
The output of an ausearch done after the failed pppd connection. (1.59 KB, text/x-log)
2011-06-24 15:04 UTC, Erik M Jacobs
no flags Details
Log output of audit/messages before/after restorecon while connecting Verizon modem. (9.49 KB, text/plain)
2011-06-30 00:12 UTC, Erik M Jacobs
no flags Details

Description Old Uncle 2011-06-09 14:59:56 UTC
SELinux is preventing /usr/sbin/pppd from 'read' accesses on the lnk_file /var/lock.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If you want to fix the label. 
/var/lock default label should be var_lock_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lock

*****  Plugin catchall_labels (5.21 confidence) suggests  ********************

If you want to allow pppd to have read access on the lock lnk_file
Then you need to change the label on /var/lock
Do
# semanage fcontext -a -t FILE_TYPE '/var/lock'
where FILE_TYPE is one of the following: pppd_etc_t, var_run_t, userdomain, device_t, ld_so_t, proc_t, proc_net_t, mta_exec_type, textrel_shlib_t, rpm_script_tmp_t, home_root_t, udev_var_run_t, var_run_t, var_lock_t, bin_t, cert_t, pppd_t, user_home_dir_t, device_t, devlog_t, locale_t, etc_t, proc_t, sysfs_t, postfix_etc_t, abrt_t, lib_t, root_t, var_run_t, var_run_t, var_run_t, cert_t. 
Then execute: 
restorecon -v '/var/lock'


*****  Plugin catchall (1.44 confidence) suggests  ***************************

If you believe that pppd should be allowed read access on the lock lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pppd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pppd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/lock [ lnk_file ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ppp-2.4.5-16.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.7-30.fc15.i686.PAE #1 SMP Fri
                              May 27 05:44:56 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Thu 09 Jun 2011 05:48:17 PM GET
Last Seen                     Thu 09 Jun 2011 05:48:33 PM GET
Local ID                      53922d4a-56b5-40e8-bf0f-6ea94b12c0f0

Raw Audit Messages
type=AVC msg=audit(1307627313.601:102): avc:  denied  { read } for  pid=3994 comm="pppd" name="lock" dev=dm-1 ino=263467 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1307627313.601:102): arch=i386 syscall=open success=no exit=EACCES a0=f627a0 a1=800c2 a2=1a4 a3=f627a0 items=0 ppid=874 pid=3994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pppd exe=/usr/sbin/pppd subj=system_u:system_r:pppd_t:s0 key=(null)

Hash: pppd,pppd_t,var_t,lnk_file,read

audit2allow

#============= pppd_t ==============
allow pppd_t var_t:lnk_file read;

audit2allow -R

#============= pppd_t ==============
allow pppd_t var_t:lnk_file read;

Comment 1 Dominick Grift 2011-06-09 15:06:31 UTC
The fix is to run as root: restorecon -R -v /var

Comment 2 Erik M Jacobs 2011-06-09 17:10:03 UTC
This only seems to partially work.

1) I plugged in my modem
2) I connected
3) I got the SELinux error
4) I ran restorecon on var
5) The folder still showed the wrong context, but my modem crashed.
6) I unplugged/replugged my modem
7) Now the file has the right context.

The fact that the correct context is not set when the system first boots is an issue to me.

Comment 3 Daniel Walsh 2011-06-09 18:07:57 UTC
The context should be right for now on.  And we are pushing through a fix to policy to make sure it is correct on all boxes.

Comment 4 Miroslav Grepl 2011-06-10 07:06:47 UTC
Fixed in selinux-policy-3.9.16-29.fc15.noarch

Comment 5 Fedora Update System 2011-06-10 10:50:15 UTC
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15

Comment 6 Fedora Update System 2011-06-11 04:29:31 UTC
Package selinux-policy-3.9.16-29.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
then log in and leave karma (feedback).

Comment 7 Miroslav Grepl 2011-06-11 07:48:51 UTC
*** Bug 712361 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2011-06-21 17:31:28 UTC
Package selinux-policy-3.9.16-30.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2011-06-24 03:53:01 UTC
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Erik M Jacobs 2011-06-24 15:02:49 UTC
Does not appear to fix it.  After installing this policy, rebooting, and attempting to connect, I still got SELinux errors.

I've attached the output of ausearch (ausearch.log) and the policy generated by audit2allow (audit2allow.output).

[root@t510dora ~]# yum list installed '*selinux*'
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
libselinux.i686                                               2.0.99-4.fc15                                  @anaconda-InstallationRepo-201105131946.i686
libselinux-python.i686                                        2.0.99-4.fc15                                  @anaconda-InstallationRepo-201105131946.i686
libselinux-utils.i686                                         2.0.99-4.fc15                                  @anaconda-InstallationRepo-201105131946.i686
selinux-policy.noarch                                         3.9.16-30.fc15                                 @updates                                    
selinux-policy-targeted.noarch                                3.9.16-30.fc15                                 @updates

Comment 11 Erik M Jacobs 2011-06-24 15:04:12 UTC
Created attachment 509782 [details]
Output of ausearch piped into audit2allow

Comment 12 Erik M Jacobs 2011-06-24 15:04:47 UTC
Created attachment 509784 [details]
The output of an ausearch done after the failed pppd connection.

Comment 13 Erik M Jacobs 2011-06-24 15:07:56 UTC
These errors appear when I am trying to initiate the wireless connection with a Verizon USB modem, by the way.

Comment 14 Daniel Walsh 2011-06-24 15:42:31 UTC
restorecon -R -v /run/lock

Comment 15 Erik M Jacobs 2011-06-30 00:12:46 UTC
Created attachment 510553 [details]
Log output of audit/messages before/after restorecon while connecting Verizon modem.

Does not work.  Booting up the system and trying to attach the modem produces SELinux errors. "restorecon -R -v /run/lock" produces no output.  Then trying to attach the modem produces SELinux errors again.  Log of before/after restorecon is attached.

Comment 16 Miroslav Grepl 2011-06-30 07:04:53 UTC

*** This bug has been marked as a duplicate of bug 717161 ***


Note You need to log in before you can comment on or make changes to this bug.