selinux and ppp

Stephen Smalley sds at epoch.ncsc.mil
Thu Apr 1 16:59:28 UTC 2004 

On Thu, 2004-04-01 at 11:26, bastard operater wrote:
> I just wiped my FC2T1 install and installed FC2T2 with selinux.  The good 
> news is FC2T2 seems to work properly for me (I have only used FC2T2 for 
> about 1 hour so far) with the following exception.  I have an Actiontec call 
> waiting modem and use dial-up to connect to the internet.  Everything worked 
> properly under FC2T1, but now I cannot connect to the internet.   I was 
> logged in as root at the time I tried to connect to the internet.  I type 
> /etc/ppp/ppp-on and I get the following message:
> 
> audit(1080793144.199:0): avc:  denied  { write } for
> pid=2983 exe=/usr/sbin/pppd name=ppp dev=sdb2 ino=32585
> scontext=root:system_r:pppd_t tcontext=system_u:object_r:etc_t tclass=dir
> 
> Can you please fix the policy to make this work? If it is not a policy issue 
> then what can I do to make this work?  I would prefer to leave selinux 
> working so I can test everything I use and report problems.

This implies that pppd is trying to create or unlink a file in
/etc/ppp.  I'd suggest creating a separate type for /etc/ppp to avoid
giving any write access to other parts of /etc, and also a type for
whatever files under /etc/ppp should be writable by pppd.
Possible approach:

0) Install policy-sources if not already installed.  Caveat:  If you
install the latest devel policy-sources, you may need to update your
kernel and policy as well, as there has been an extension to the policy
engine and policy binary format.

1) Add the following lines to
/etc/security/selinux/src/policy/domains/program/pppd.te:

# Define a separate type for /etc/ppp
etcdir_domain(pppd)
# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t, file_type, sysadmfile;
# Automatically label newly created files under /etc/ppp with this type
file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)

2) cd /etc/security/selinux/src/policy && make load

3) chcon -R -t pppd_etc_t /etc/ppp

You will also want to update policy/file_contexts/program/pppd.fc to
ensure that the type is preserved by any future relabels/restorecon/rpm
operations, e.g.
/etc/ppp(/.*)?	system_u:object_r:pppd_etc_t

You may also want to restorecon /etc/ppp/*secrets, as the above chcon
will have changed them to pppd_etc_t as well.

Then you can retry pppd, and see what happens.  In particular, it will
be useful to see what files end up getting created with pppd_etc_rw_t in
/etc/ppp.

A possible problem is that putting /etc/ppp into this new type will make
it inaccessible to other domains unless you add rules allowing such
access, so further allow rules may be needed.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the fedora-test-list mailing list