Bug 715489 - selinx and pppd errros
Summary: selinx and pppd errros
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: noarch
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-23 03:39 UTC by Ankur Sinha (FranciscoD)
Modified: 2011-06-27 05:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-27 05:38:13 UTC
Type: ---

Attachments (Terms of Use)
policy generated for "read" (1.86 KB, application/octet-stream)
2011-06-23 03:40 UTC, Ankur Sinha (FranciscoD) 		no flags Details
policy generated for "unlink" (1.99 KB, application/octet-stream)
2011-06-23 03:40 UTC, Ankur Sinha (FranciscoD) 		no flags Details
policy generated for "open" (1.97 KB, application/octet-stream)
2011-06-23 03:41 UTC, Ankur Sinha (FranciscoD) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Ankur Sinha (FranciscoD) 2011-06-23 03:39:47 UTC 
Description of problem:
I get selinux avc denials while trying to connect to the internet using my USB mobile broadband connection. I noticed more bugs related to ppd, probably filed from my system using sealert, but I wasn't sure where to upload what files.

Version-Release number of selected component (if applicable):
[root@ankur ~]# rpm -q selinux-policy
selinux-policy-3.9.16-26.fc15.noarch


How reproducible:
If you try to use this USB broadband device with a pristine selinux-policy, you get multiple avc denials sequentially (first read, unlink, open)

Steps to Reproduce:
1. Make sure you have a unaltered selinux-policy
2. insert the usb device
3. try to connect to the internet using network manager
  
Actual results:
AVC denials which need you to generate policies to get it to work

Expected results:
Should work out of the box :)


Additional info:
I had restored /var/lock using restorecon (using the generated policies give me other errors which I'll file bugs against when I see them again), and reinserted the usb device to connect to the internet.

I'm attaching 3 generated policies that were required.
Comment 1 Ankur Sinha (FranciscoD) 2011-06-23 03:40:27 UTC 
Created attachment 506110 [details]
policy generated for "read"
Comment 2 Ankur Sinha (FranciscoD) 2011-06-23 03:40:55 UTC 
Created attachment 506111 [details]
policy generated for "unlink"
Comment 3 Ankur Sinha (FranciscoD) 2011-06-23 03:41:20 UTC 
Created attachment 506112 [details]
policy generated for "open"
Comment 4 Ankur Sinha (FranciscoD) 2011-06-23 03:42:13 UTC 
These were the policies generated this time. I hope they have enough info for you to solve the issue. Please let me know if you need any other info. I will be more than happy to provide it. 

Thank you :)
Ankur
Comment 5 Daniel Walsh 2011-06-23 13:23:57 UTC 
I would rather have the raw AVC's that you used to generate the policy or the te files that were generated.
Comment 6 Ankur Sinha (FranciscoD) 2011-06-23 14:08:56 UTC 
Oh! I'll generate them again and add them tonight then. 

Thanks,
Ankur
Comment 7 Bonzo1834 2011-06-24 13:13:24 UTC 
the following broke my mobile broadband today:

selinux-policy-doc-3.9.16-30.fc15.noarch
selinux-policy-minimum-3.9.16-30.fc15.noarch
selinux-policy-mls-3.9.16-30.fc15.noarch
selinux-policy-targeted-3.9.16-30.fc15.noarch

SELinux is preventing /usr/sbin/pppd from read access on the lnk_file /var/lock
SELinux is preventing /usr/sbin/pppd from search access on the directory lock

The first error had been solved before:
https://bugzilla.redhat.com/show_bug.cgi?id=699240
Comment 8 Ankur Sinha (FranciscoD) 2011-06-25 17:58:20 UTC 
Hello,

I'm having some trouble with sealert. I've filed a bug. I'll provide the necessary info once it's fixed. 

https://bugzilla.redhat.com/show_bug.cgi?id=716626

Thanks,
Ankur
Comment 9 Miroslav Grepl 2011-06-27 05:38:13 UTC 
the original issue should be fixed. I am closing the bug.
Note You need to log in before you can comment on or make changes to this bug.