AW: Dear List members

Daniel J Walsh dwalsh at redhat.com
Tue Sep 29 11:55:51 UTC 2009 

On 09/26/2009 05:56 AM, tarnait wrote:
> Hi,
> 
> yeah the console problem was that I use static udev, and the underlying /dev/console didn't have the proper label. Now I'm down to two problems:
> 
> #============= iptables_t ==============
> allow iptables_t pppd_t:packet_socket { read write };
Most likely a leaked file descriptor, if you dontaudit this everything should work fine.
> 
> #============= pppd_t ==============
> allow pppd_t unconfined_home_dir_t:dir search;

Probably can also be dontaudit.  pppd_t is just searching the homedir of the process that launched it.
> 
> 
> as I use iptables to redirect traffic from wlan0 to ppp0 I assue it's safe to add them. 
> 
> Thanks for your help, Kindest Regards
> 
> 
> 
> 
> ________________________________
> Von: Paul Howarth <paul at city-fan.org>
> An: Dominick Grift <domg472 at gmail.com>
> CC: fedora-selinux-list at redhat.com
> Gesendet: Samstag, den 26. September 2009, 02:10:58 Uhr
> Betreff: Re: Dear List members
> 
> On Fri, 25 Sep 2009 18:38:20 +0200
> Dominick Grift <domg472 at gmail.com> wrote:
> 
>> On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote:
>>> type=AVC msg=audit(1253870574.325:17): avc:  denied  { search }
>>> for  pid=921 comm="pppd" name="root" dev=sda1 ino=12
>>> scontext=system_u:system_r:pppd_t:s0
>>> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
>>> Was caused by: Missing type enforcement (TE) allow rule.
>>>
>>>                 You can use audit2allow to generate a loadable
>>> module to allow this access.
>>>
>>
>> This also *may* be a labelling issue. pppd wants to search /root
>> dir. /root dir has type unconfined_home_dir_t. see if this is
>> correct: matchpathcon /root restorecon -R /root
>>
>> /root usually has type admin_home_t and i do not see any good reason
>> why pppd should be able to search it. misconfiguration/misusage maybe?
> 
> pppd looks for ~/.ppprc, so if you're using it as root (e.g. to connect
> to your ISP) you're going to see this. Haven't found any way of turning
> it off either.
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> 
>       
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list