Bug 731382 - SELinux is preventing /bin/mkdir from 'write' accesses on the directory /dev.
Summary: SELinux is preventing /bin/mkdir from 'write' accesses on the directory /dev.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:20f617343a7...
Depends On:
Blocks: 494832
TreeView+ depends on / blocked
 
Reported: 2011-08-17 13:26 UTC by Ilkka Tengvall
Modified: 2011-12-04 02:34 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.9.16-48.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-04 02:34:23 UTC


Attachments (Terms of Use)
vpnc avc logs while semanage permissive -a vpnc_t (4.41 KB, text/x-log)
2011-08-26 07:08 UTC, Ilkka Tengvall
no flags Details
Patch to make sure selinux labels are correct. (653 bytes, patch)
2011-08-31 14:26 UTC, Daniel Walsh
no flags Details | Diff

Description Ilkka Tengvall 2011-08-17 13:26:59 UTC
SELinux is preventing vpnc to create a tunnel device


SELinux is preventing /bin/mkdir from 'write' accesses on the directory /dev.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mkdir should be allowed write access on the dev directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkdir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev [ dir ]
Source                        mkdir
Source Path                   /bin/mkdir
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.10-2.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40
                              UTC 2010 i686 i686
Alert Count                   2
First Seen                    Wed 17 Aug 2011 06:16:58 AM PDT
Last Seen                     Wed 17 Aug 2011 06:17:58 AM PDT
Local ID                      7622a366-fc31-48c4-9df8-e250ccbfd785

Raw Audit Messages
type=AVC msg=audit(1313587078.104:70): avc:  denied  { write } for  pid=2586 comm="mkdir" name="/" dev=devtmpfs ino=4 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir


type=SYSCALL msg=audit(1313587078.104:70): arch=i386 syscall=mkdir success=no exit=EACCES a0=bf9b68cc a1=1ed a2=8053388 a3=bf9b68c7 items=0 ppid=2576 pid=2586 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=mkdir exe=/bin/mkdir subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)

Hash: mkdir,vpnc_t,device_t,dir,write

audit2allow

#============= vpnc_t ==============
#!!!! The source type 'vpnc_t' can write to a 'dir' of the following types:
# tmp_t, etc_t, vpnc_tmp_t, var_run_t, vpnc_var_run_t, net_conf_t

allow vpnc_t device_t:dir write;

audit2allow -R

#============= vpnc_t ==============
#!!!! The source type 'vpnc_t' can write to a 'dir' of the following types:
# tmp_t, etc_t, vpnc_tmp_t, var_run_t, vpnc_var_run_t, net_conf_t

allow vpnc_t device_t:dir write;

Comment 1 Ilkka Tengvall 2011-08-17 13:39:31 UTC
after allowing it the above exeption, it runs to the next denial:


SELinux is preventing /bin/mkdir from add_name access on the directory net.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mkdir should be allowed add_name access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkdir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                net [ dir ]
Source                        mkdir
Source Path                   /bin/mkdir
Port                          <Unknown>
Host                          pikkud.mobile.fp.nsn-rdnet.net
Source RPM Packages           coreutils-8.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pikkud.mobile.fp.nsn-rdnet.net
Platform                      Linux pikkud.mobile.fp.nsn-rdnet.net
                              2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40
                              UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 17 Aug 2011 06:34:40 AM PDT
Last Seen                     Wed 17 Aug 2011 06:34:40 AM PDT
Local ID                      376acc1b-d404-4877-9c27-7035830cbbf5

Raw Audit Messages
type=AVC msg=audit(1313588080.902:109): avc:  denied  { add_name } for  pid=3593 comm="mkdir" name="net" scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir


type=SYSCALL msg=audit(1313588080.902:109): arch=i386 syscall=mkdir success=no exit=EACCES a0=bfaf58cc a1=1ed a2=8053388 a3=bfaf58c7 items=0 ppid=3581 pid=3593 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=mkdir exe=/bin/mkdir subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)

Hash: mkdir,vpnc_t,device_t,dir,add_name

audit2allow

#============= vpnc_t ==============
allow vpnc_t device_t:dir add_name;

audit2allow -R

#============= vpnc_t ==============
allow vpnc_t device_t:dir add_name;

Comment 2 Ilkka Tengvall 2011-08-17 13:52:34 UTC
and after that, this is the next:

SELinux is preventing /sbin/modprobe from read access on the directory /etc/modprobe.d.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that modprobe should be allowed read access on the modprobe.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep modprobe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:modules_conf_t:s0
Target Objects                /etc/modprobe.d [ dir ]
Source                        modprobe
Source Path                   /sbin/modprobe
Port                          <Unknown>
Host                          pikkud.mobile.fp.nsn-rdnet.net
Source RPM Packages           module-init-tools-3.16-2.fc15
Target RPM Packages           module-init-tools-3.16-2.fc15
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pikkud.mobile.fp.nsn-rdnet.net
Platform                      Linux pikkud.mobile.fp.nsn-rdnet.net
                              2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40
                              UTC 2010 i686 i686
Alert Count                   2
First Seen                    Wed 17 Aug 2011 06:38:27 AM PDT
Last Seen                     Wed 17 Aug 2011 06:38:27 AM PDT
Local ID                      26cfa8d3-f6f9-43e3-bc30-fbd9942a6ecc

Raw Audit Messages
type=AVC msg=audit(1313588307.618:128): avc:  denied  { read } for  pid=4398 comm="modprobe" name="modprobe.d" dev=dm-1 ino=46 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir


type=SYSCALL msg=audit(1313588307.618:128): arch=i386 syscall=open success=no exit=EACCES a0=805d3bd a1=0 a2=1b6 a3=0 items=0 ppid=4390 pid=4398 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=modprobe exe=/sbin/modprobe subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)

Hash: modprobe,vpnc_t,modules_conf_t,dir,read

audit2allow

#============= vpnc_t ==============
allow vpnc_t modules_conf_t:dir read;

audit2allow -R

#============= vpnc_t ==============
allow vpnc_t modules_conf_t:dir read;

Comment 3 Ilkka Tengvall 2011-08-17 13:53:09 UTC
and after adding those it just fails otherwise due to mkdir not succeeding:

mkdir: cannot create directory `/dev/net': Permission denied
mknod: `/dev/net/tun': No such file or directory
vpnc: can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not misc/net/tun): No such file or directory
vpnc: can't initialise tunnel interface: No such file or directory

Comment 4 Ilkka Tengvall 2011-08-17 13:54:09 UTC
vpnc-0.5.3-12.svn457.fc15.i686
policycoreutils-2.0.86-7.fc15.i686
checkpolicy-2.0.23-3.fc15.i686
polkit-desktop-policy-0.101-6.fc15.noarch
policycoreutils-python-2.0.86-7.fc15.i686
policycoreutils-gui-2.0.86-7.fc15.i686
selinux-policy-targeted-3.9.16-35.fc15.noarch
selinux-policy-3.9.16-35.fc15.noarch

Comment 5 Miroslav Grepl 2011-08-22 10:17:09 UTC
Could you execute

# semanage permissive -a vpnc_t

and collect all AVC msgs which you see.

Comment 6 Ilkka Tengvall 2011-08-26 07:05:37 UTC
here we go, unfortunately the vpnc fails for some reason from this network where I'm at now. It clearly fails to insert some modules for tunnel. I'll attach the log.

Comment 7 Ilkka Tengvall 2011-08-26 07:08:56 UTC
Created attachment 520019 [details]
vpnc avc logs while semanage permissive -a vpnc_t

Comment 8 Daniel Walsh 2011-08-26 18:12:13 UTC
This looks like you vpnc script is running modprobe?

Is this standard?  You probably want to add a domtrans

modprobe_domtrans_insmod(vpnc_t)

Is this a standard configuration?

Comment 9 Ilkka Tengvall 2011-08-29 07:34:43 UTC
yes, it looks so, it needs to setup a network interface and tunnel all/some traffic to it. The vpnc is standard one coming from fedora repos, of course my connections setup in vpnc.conf is my specific. But setting up the tun device is normal behaviour.

Excuse my ignoreness, but where should that be added to? Looks like a function call, so do you mean to patch the vpnc codes and recompile the package? Or is that some policy-magic which gets put into where?

Comment 10 Ilkka Tengvall 2011-08-29 07:38:17 UTC
BTW, there is a long ago made bug about the same issue, handled for nm it seemes: #208579 "NetworkManager-vpnc triggering SELinux when doing modprobe tun.ko"
	
I verify that it works just fine in NM gui, it's only the command line client that doesn't work. And me loves cmdline... :)

Comment 11 Miroslav Grepl 2011-08-29 08:14:30 UTC
Could you try to add the following local policy

# cat mypol.te

policy_module(mypol, 1.0)

require{
 type vpnc_t;
}

modprobe_domtrans_insmod(vpnc_t)





# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp
# semanage permissive -d vpnc_t

and try to re-test it.

Comment 12 Ilkka Tengvall 2011-08-29 08:35:30 UTC
Some syntax error in it? See:


# cat > mypol.te
policy_module(mypol, 1.0)

require{
 type vpnc_t;
}

modprobe_domtrans_insmod(vpnc_t)

[root@pikkud test]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted mypol module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypol.tmp
mypol.te":7:ERROR 'syntax error' at token 'modprobe_domtrans_insmod' on line 3216:
modprobe_domtrans_insmod(vpnc_t)

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mypol.mod] Error 1

Comment 13 Miroslav Grepl 2011-08-29 09:45:23 UTC
My fault, I meant

modutils_domtrans_insmod_uncond(vpnc_t)

instead of

modprobe_domtrans_insmod(vpnc_t)

Comment 14 Ilkka Tengvall 2011-08-29 10:27:16 UTC
thanks, I did that and took me this far:

type=AVC msg=audit(1314613488.929:262): avc:  denied  { getattr } for  pid=9835 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1314613488.929:262): arch=40000003 syscall=195 success=no exit=-13 a0=8a71fc0 a1=bfd7ee28 a2=345ff4 a3=8a71fc6 items=0 ppid=9828 pid=9835 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1314613488.965:263): avc:  denied  { read write } for  pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1314613488.965:263): arch=40000003 syscall=5 success=no exit=-13 a0=8a72070 a1=8042 a2=1b6 a3=b items=0 ppid=9835 pid=9852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1314613488.965:264): avc:  denied  { read write } for  pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1314613488.965:264): arch=40000003 syscall=5 success=no exit=-13 a0=8a72070 a1=8002 a2=0 a3=b items=0 ppid=9835 pid=9852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)

Comment 15 Daniel Walsh 2011-08-29 16:12:37 UTC
Miroslav maybe we should add a policy for vpnc-script and only give it the ability to execute modprobe.

Comment 16 Daniel Walsh 2011-08-29 16:15:42 UTC
 
                        # make sure tun device exists
                        if [ ! -e /dev/net/tun ]; then
                                mkdir -p /dev/net
                                mknod -m 0640 /dev/net/tun c 10 200
                        fi

This script needs to add

restorecon -R -v /dev/net

Comment 17 Ilkka Tengvall 2011-08-30 05:25:43 UTC
here's what it looks like before and after restorecon, it seems it had been created with proper tags:

$ ls -laZ /dev/net/
drwxr-xr-x. root root system_u:object_r:device_t:s0    .
drwxr-xr-x. root root system_u:object_r:device_t:s0    ..
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 tun
$ sudo restorecon -R -v /dev/net
$ ls -laZ /dev/net/
drwxr-xr-x. root root system_u:object_r:device_t:s0    .
drwxr-xr-x. root root system_u:object_r:device_t:s0    ..
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 tun

I did not create this manually as you instructed above, it was the vpnc creating it.

Comment 18 Daniel Walsh 2011-08-30 09:32:42 UTC
The avc indicates that it was created for a small time with the wrong label on it.

 type=AVC msg=audit(1314613488.965:263): avc:  denied  { read write } for 
pid=9852 comm="vpnc-script" name="tun" dev=devtmpfs ino=97311
scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1314613488.965:263): arch=40000003 syscall=5 success=no

udev is watching for mislabeld char_files and when it sees one will fix the label but in the mean time the vpnc script has touched the device generating the AVC.

So the vpnc-script should have made sure the device has the correct label as soon as it is created.

Comment 19 Fedora Admin XMLRPC Client 2011-08-31 00:43:40 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 20 Daniel Walsh 2011-08-31 14:26:36 UTC
Created attachment 520832 [details]
Patch to make sure selinux labels are correct.

This patch to vpnc-script will make sure the directories and devices that are created in the vpnc-script needs to be labeled correctly.

Comment 21 Christian Krause 2011-09-04 20:25:22 UTC
(In reply to comment #20)
> This patch to vpnc-script will make sure the directories and devices that are
> created in the vpnc-script needs to be labeled correctly.

Daniel, is this patch sufficient to solve the whole issue described in this bug report or is it necessary to change the selinux policies, too?

Comment 22 Daniel Walsh 2011-09-06 15:01:57 UTC
No after the script is fixed, SELinux policy changes are necessary also.

Comment 23 Christian Krause 2011-09-11 16:24:19 UTC
I have fixed the script in vpnc for RAWHIDE. New packages including the bug-fix for F16 and F15 are on its way.

I'll move now the bug to the selinux-policy component to track the remaining changes.

Comment 24 Fedora Update System 2011-09-11 16:32:46 UTC
vpnc-0.5.3-13.svn457.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/vpnc-0.5.3-13.svn457.fc16

Comment 25 Fedora Update System 2011-09-11 16:35:07 UTC
vpnc-0.5.3-13.svn457.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/vpnc-0.5.3-13.svn457.fc15

Comment 26 Ilkka Tengvall 2011-09-14 06:40:34 UTC
Thanks, tested it works already, but has some additional warnings:

on command line:
-----------------------
mknod: `/dev/net/tun': File exists
Permission denied
VPNC started in background (pid: 2386)...
-----------------------


and the sealert here:

-----------------------
SELinux is preventing /bin/bash from getattr access on the chr_file /dev/net/tun.

*****  Plugin restorecon (90.5 confidence) suggests  *************************

If you want to fix the label. 
/dev/net/tun default label should be tun_tap_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/net/tun

*****  Plugin device (9.50 confidence) suggests  *****************************

If you want to allow bash to have getattr access on the tun chr_file
Then you need to change the label on /dev/net/tun to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/net/tun'
# restorecon -v '/dev/net/tun'

*****  Plugin catchall (1.40 confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the tun chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vpnc-script /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/net/tun [ chr_file ]
Source                        vpnc-script
Source Path                   /bin/bash
Port                          <Unknown>
Host                          pikkud.mobile.fp.nsn-rdnet.net
Source RPM Packages           bash-4.2.10-4.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pikkud.mobile.fp.nsn-rdnet.net
Platform                      Linux pikkud.mobile.fp.nsn-rdnet.net
                              2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40
                              UTC 2010 i686 i686
Alert Count                   3
First Seen                    Mon 29 Aug 2011 01:24:48 PM EEST
Last Seen                     Wed 14 Sep 2011 09:33:03 AM EEST
Local ID                      1a07c573-f35e-4f8a-938f-7fe6892c50a0

Raw Audit Messages
type=AVC msg=audit(1315981983.590:61): avc:  denied  { getattr } for  pid=2330 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=32302 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1315981983.590:61): arch=i386 syscall=stat64 success=no exit=EACCES a0=9cd8770 a1=bf84e378 a2=345ff4 a3=9cd8776 items=0 ppid=2329 pid=2330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=vpnc-script exe=/bin/bash subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)

Hash: vpnc-script,vpnc_t,device_t,chr_file,getattr

audit2allow

#============= vpnc_t ==============
allow vpnc_t device_t:chr_file getattr;

audit2allow -R

#============= vpnc_t ==============
allow vpnc_t device_t:chr_file getattr;

-----------------------


the restorecon doesn't change the file:


-----------------------
$ ls -laZ /dev/net/tun 
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 /dev/net/tun
$ sudo /sbin/restorecon -v /dev/net/tun
$ ls -laZ /dev/net/tun 
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0 /dev/net/tun
-----------------------

Comment 27 Daniel Walsh 2011-09-15 14:51:06 UTC
Could you run this in permissive mode and gather all of the AVC messages.

Comment 28 Ilkka Tengvall 2011-09-16 05:41:00 UTC
I did:

1. sudo  semanage permissive -a vpnc_t
2. sudo vpnc vpn.cnf

If I then remove permissive from vpnc_t, it won't happen again, so something gets labelled correct at the first run.


------------------------
type=USER_START msg=audit(1316151233.553:70): user pid=2469 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'

type=AVC msg=audit(1316151240.704:71): avc:  denied  { getattr } for  pid=2470 comm="vpnc-script" path="/dev/net/tun" dev=devtmpfs ino=37429 scontext=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1316151240.704:71): arch=40000003 syscall=195 success=yes exit=0 a0=9670770 a1=bfe66558 a2=345ff4 a3=9670776 items=0 ppid=2469 pid=2470 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vpnc-script" exe="/bin/bash" subj=unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023 key=(null)
------------------------

Comment 29 Daniel Walsh 2011-09-16 15:23:55 UTC
I guess you can reproduce by removing /dev/net/tun

Comment 30 Fedora Update System 2011-09-25 23:18:21 UTC
vpnc-0.5.3-13.svn457.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2011-09-30 19:06:58 UTC
vpnc-0.5.3-13.svn457.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2011-11-16 16:16:20 UTC
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 33 Fedora Update System 2011-11-17 23:34:42 UTC
Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 34 Fedora Update System 2011-12-04 02:34:23 UTC
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.