LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   SElinux problem (https://www.linuxquestions.org/questions/linux-networking-3/selinux-problem-639442/)

palvit 05-02-2008 03:16 PM
SElinux problem
 
I am trying to setup my fedora core 8 as a ppp server. I have a winmodem and i have setup it according to following link
http://www20.brinkster.com/olivares/...d-setup-1.html and using slmodem-2.9.11-20080417.tar.gz and ungrab-winmodem-20080126 from following link
http://linmodems.technion.ac.il/packages/smartlink/

Now i can dial any phone number and thus modem is working fine.

Then i setup my ppp server using instructions from following link
http://howtoforge.com/linux_dialin_server

But when i see

#tail -f /var/log/messages

May 3 01:31:21 myisp mgetty[15229]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 01:31:21 myisp mgetty[15229]: open device /dev/ttySL0 failed: Permission denied
May 3 01:31:21 myisp mgetty[15229]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 01:31:21 myisp init: Id "SL0" respawning too fast: disabled for 5 minutes
May 3 01:31:23 myisp setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3

I then followed the instruction and run following command

# setsebool -P allow_daemons_use_tty=1

But SElinux keeps on giving same message every five minutes.

Also, when i login as another user and run pppd i see

# tail -f /var/log/messages
May 3 01:44:20 myisp pppd[15355]: pppd 2.4.4 started by rajdeep, uid 501
May 3 01:44:20 myisp pppd[15355]: Using interface ppp0
May 3 01:44:20 myisp pppd[15355]: Connect: ppp0 <--> /dev/tty1
May 3 01:44:22 myisp acpid: client connected from 2517[0:0]
May 3 01:44:22 myisp acpid: 1 client rule loaded

So i think pppd is working but maybe it is not able to open the modem properly.

What should i do?

unSpawn 05-02-2008 06:10 PM
What does 'sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3' return? Are there any other AVC messages?

palvit 05-03-2008 01:51 AM
Quote:
Originally Posted by unSpawn (Post 3140455)
What does 'sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3' return? Are there any other AVC messages?
it tells me to run following

# setsebool -P allow_daemons_use_tty=1

which i run ; but after some time same message comes again and avc denies.

unSpawn 05-03-2008 05:53 AM
Quote:
Originally Posted by palvit (Post 3140819)
it tells me to run following
The *complete* message please.

palvit 05-03-2008 10:56 AM
Quote:
Originally Posted by unSpawn (Post 3140978)
The *complete* message please.
[root@localhost ~]# tail -f /var/log/messages

May 3 19:01:01 localhost mgetty[3793]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:01:01 localhost mgetty[3793]: open device /dev/ttySL0 failed: Permission denied
May 3 19:01:01 localhost mgetty[3793]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:01:01 localhost mgetty[3794]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:01:01 localhost mgetty[3794]: open device /dev/ttySL0 failed: Permission denied
May 3 19:01:01 localhost mgetty[3794]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:01:02 localhost mgetty[3798]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:01:02 localhost mgetty[3798]: open device /dev/ttySL0 failed: Permission denied
May 3 19:01:02 localhost mgetty[3798]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:01:02 localhost init: Id "SL0" respawning too fast: disabled for 5 minutes
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:01:04 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3




[root@localhost ~]# sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
Summary
SELinux prevented /sbin/mgetty from using the terminal <Unknown>.

Detailed Description
SELinux prevented /sbin/mgetty from using the terminal <Unknown>. In most
cases daemons do not need to interact with the terminal, usually these avc
messages can be ignored. All of the confined daemons should have dontaudit
rules around using the terminal. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
policy. If you would like to allow all daemons to interact with the
terminal, you can turn on the allow_daemons_use_tty boolean.

Allowing Access
Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

The following command will allow this access:
setsebool -P allow_daemons_use_tty=1

Additional Information

Source Context system_u:system_r:getty_t:s0
Target Context system_u:object_r:unconfined_devpts_t:s0
Target Objects None [ chr_file ]
Affected RPM Packages mgetty-1.1.33-11.fc8 [application]
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_daemons_use_tty
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP
Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count 280
First Seen Fri May 2 18:13:57 2008
Last Seen Sat May 3 19:01:02 2008
Local ID c11200ee-abc1-45f1-b64e-3e816e74a3c3
Line Numbers

Raw Audit Messages

avc: denied { read write } for comm=mgetty dev=devpts egid=0 euid=0
exe=/sbin/mgetty exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=2 pid=3798
scontext=system_u:system_r:getty_t:s0 sgid=0 subj=system_u:system_r:getty_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:unconfined_devpts_t:s0
tty=(none) uid=0

[root@localhost ~]# setsebool -P allow_daemons_use_tty=1

[root@localhost ~]# tail -f /var/log/messages

May 3 19:03:16 localhost dbus: avc: received policyload notice (seqno=2)
May 3 19:03:16 localhost setsebool: The allow_daemons_use_tty policy boolean was changed to 1 by root

May 3 19:06:03 localhost mgetty[3815]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:03 localhost mgetty[3815]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:03 localhost mgetty[3815]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:04 localhost mgetty[3816]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:04 localhost mgetty[3816]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:04 localhost mgetty[3816]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:04 localhost mgetty[3817]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:04 localhost mgetty[3817]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:04 localhost mgetty[3817]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:05 localhost mgetty[3818]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:05 localhost mgetty[3818]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:05 localhost mgetty[3818]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:05 localhost mgetty[3819]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:05 localhost mgetty[3819]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:05 localhost mgetty[3819]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:06 localhost mgetty[3820]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:06 localhost mgetty[3820]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:06 localhost mgetty[3820]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:06 localhost mgetty[3821]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:06 localhost mgetty[3821]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:06 localhost mgetty[3821]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:06 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:07 localhost mgetty[3822]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:07 localhost mgetty[3822]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:07 localhost mgetty[3822]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:07 localhost mgetty[3823]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:07 localhost mgetty[3823]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:07 localhost mgetty[3823]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:08 localhost mgetty[3824]: mod: cannot open line /dev/ttySL0: Permission denied
May 3 19:06:08 localhost mgetty[3824]: open device /dev/ttySL0 failed: Permission denied
May 3 19:06:08 localhost mgetty[3824]: cannot get terminal line dev=ttySL0, exiting: Permission denied
May 3 19:06:08 localhost init: Id "SL0" respawning too fast: disabled for 5 minutes
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l e0207873-9500-4bde-bc45-d20045a05afb
May 3 19:06:10 localhost setroubleshoot: #012 SELinux prevented /sbin/mgetty from using the terminal <Unknown>.#012 For complete SELinux messages. run sealert -l c11200ee-abc1-45f1-b64e-3e816e74a3c3

So, the problem persists even if i do as per instructed( i.e. run setsebool -P allow_daemons_use_tty=1)

unSpawn 05-03-2008 02:48 PM
It seems that next to c11200ee-abc1-45f1-b64e-3e816e74a3c3 you have a second (related?) issue: e0207873-9500-4bde-bc45-d20045a05afb. What is the effect of using a local policy with those AVC messages?


All times are GMT -5. The time now is 05:12 PM.