FC9: ADSL for non-root users

Marco Guazzone marco.guazzone at gmail.com
Sun May 25 15:20:53 UTC 2008 

Hi Anne,

Set SE troubleshootd says to run:

$ restorecon -v '/usr/sbin/pppd'

I've tried but no hope. Same error.

Here below is the detailed SElinux error:

--- [snip] ---
*Summary*
SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd
(pppd_exec_t).

*Detailed Description*
SELinux denied access requested by ifup-ppp. It is not expected that this
access is required by ifup-ppp and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

*Allowing Access*
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /usr/sbin/pppd,

restorecon -v '/usr/sbin/pppd'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this access
- see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
package.

*Additional Information*
Source Context:  unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:pppd_exec_t:s0
Target Objects:  /usr/sbin/pppd [ file ]
Source:  ifup-ppp
Source Path:  /bin/bash
Port:  <Unknown>
Host:  backtrack
Source RPM Packages:  bash-3.2-22.fc9
Target RPM Packages:  ppp-2.4.4-7.fc9
Policy RPM:  selinux-policy-3.3.1-51.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  backtrack
Platform:  Linux backtrack 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May 13 04:54:47
EDT 2008 x86_64 x86_64
Alert Count:  5
First Seen:  Sat 24 May 2008 09:34:44 AM CEST
Last Seen:  Sun 25 May 2008 05:12:11 PM CEST
Local ID:  2d7c3d51-e43f-4791-b453-3d32e6239030
Line Numbers:
Raw Audit Messages :
  host=backtrack type=AVC msg=audit(1211728331.28:175): avc: denied {
getattr } for pid=25519 comm="ifup-ppp" path="/usr/sbin/pppd" dev=sda5
ino=19009 scontext=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file
  host=backtrack type=SYSCALL msg=audit(1211728331.28:175): arch=c000003e
syscall=4 success=no exit=-13 a0=16a40a0 a1=7fff2f3aea90 a2=7fff2f3aea90
a3=8 items=0 ppid=20794 pid=25519 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="ifup-ppp" exe="/bin/bash"
subj=unconfined_u:unconfined_r:usernetctl_t:s0-s0:c0.c1023 key=(null)
--- [/snip] ---

And this is my ifcfg-DSL script:
--- [snip] ---
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
TYPE=xDSL
DEVICE=ppp0
BOOTPROTO=dialup
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
PIDFILE=/var/run/pppoe-adsl.pid
FIREWALL=NONE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
PERSIST=no
SYNCHRONOUS=no
DEFROUTE=yes
USER='xxx at xxx.xxx'
ETH=eth0
PROVIDER=DSL
DEMAND=no
NM_CONTROLLED=no
ONBOOT=no
--- [/snip] ---

Thanks!!

-- Marco

2008/5/25 Anne Wilson <cannewilson at googlemail.com>:

> On Sunday 25 May 2008 15:49:28 Marco Guazzone wrote:
> > Hello everyone!
> >
> > I've created an xDSL connection with system-config-network.
> >
> > If I try to connect as non-root user with the command:
> > $ /sbin/ifup DSL
> > I got the error message:
> >
> > --- [snip] ---
> > pppd does not exist or is not executable
> > ifup-ppp for ppp0 exiting
> > --- [/snip] ---
> >
> > along with the SElinux error:
> >
> > --- [snip] ---
> > SELinux is preventing ifup-ppp (usernetctl_t) "getattr" to /usr/sbin/pppd
> > (pppd_exec_t).
> > --- [/snip] ---
> >
> > If instead I execute the same command as root or with sudo all works.
> >
> > Note:
> > * in FC8 I was able to connect without root privileges
> > * Using the adsl-start got no error but has no effect (no connection
> > starts).
> >
> Run the troubleshooter with 'sealert -b'.  You'll see the same error
> message
> and it will tell you what to do about it.
>
> Anne
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080525/dcbb416d/attachment-0001.htm>

More information about the fedora-list mailing list