selinux and ppp
Russell Coker
russell at coker.com.au
Fri Apr 2 04:26:54 UTC 2004
On Fri, 2 Apr 2004 02:59, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> > audit(1080793144.199:0): avc: denied { write } for
> > pid=2983 exe=/usr/sbin/pppd name=ppp dev=sdb2 ino=32585
> > scontext=root:system_r:pppd_t tcontext=system_u:object_r:etc_t tclass=dir
> >
> > Can you please fix the policy to make this work? If it is not a policy
> > issue then what can I do to make this work? I would prefer to leave
> > selinux working so I can test everything I use and report problems.
>
> This implies that pppd is trying to create or unlink a file in
> /etc/ppp. I'd suggest creating a separate type for /etc/ppp to avoid
> giving any write access to other parts of /etc, and also a type for
> whatever files under /etc/ppp should be writable by pppd.
> Possible approach:
I disagree. pppd is trying to write log files in /etc which is wrong. I have
filed a bug report (see URL below), the correct solution is to put the log
file in question somewhere else. We don't even want pppd to re-write it's
own configuration...
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118837
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-test-list
mailing list