Problems with pppd and mgetty+sendfax on FC5

Peter Hancox phancox at dtc.com.au
Wed Jun 7 08:31:02 UTC 2006 

Recently installed FC5 and am experiencing problems with pppd and
mgetty+sendfax when running with SELinux enabled.

mgetty+sendfax was unable to write to /var/spool/fax/incoming. However,
switching to permissive mode fixed this problem.

What I can't understand is the problem experienced with pppd. Users dialing
in fail PAP authentication when SELinux is enabled. This doesn't happen with
SELinux disabled and dial in works correctly. However, when SELinux is
enabled but running in "permissive" mode rather than "enforcing", pppd still
fails. I thought that in "permissive" mode, SELinux would just log the
permission failures but allow everything to go ahead ???

Appears that SELinux is still preventing pppd from accessing the shadow file
to validate user password credentials. Is this a special case? Disabling
SELinux protection for pppd didn't appear to make any difference.


Jun  7 11:44:59 zeus mgetty[2458]: data dev=ttyS1, pid=2458, caller='none',
conn='26400/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'
Jun  7 11:44:59 zeus pppd[2458]: pppd 2.4.3 started by a_ppp, uid 0
Jun  7 11:44:59 zeus pppd[2458]: Using interface ppp0
Jun  7 11:44:59 zeus pppd[2458]: Connect: ppp0 <--> /dev/ttyS1
Jun  7 11:45:02 zeus pppd[2458]: PAP peer authentication failed for phancox
Jun  7 11:45:02 zeus kernel: audit(1149644702.926:69): avc:  denied  { read
} for  pid=2458 comm="pppd" name="shadow" dev=dm-0 ino=1495903
scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Jun  7 11:45:02 zeus kernel: audit(1149644702.926:70): avc:  denied  {
getattr } for  pid=2458 comm="pppd" name="shadow" dev=dm-0 ino=1495903
scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Jun  7 11:45:02 zeus kernel: audit(1149644702.930:71): avc:  denied  {
create } for  pid=2458 comm="pppd" scontext=system_u:system_r:pppd_t:s0
tcontext=system_u:system_r:pppd_t:s0 tclass=netlink_audit_socket
Jun  7 11:45:02 zeus kernel: audit(1149644702.930:72): avc:  denied  { write
} for  pid=2458 comm="pppd" scontext=system_u:system_r:pppd_t:s0
tcontext=system_u:system_r:pppd_t:s0 tclass=netlink_audit_socket
Jun  7 11:45:02 zeus kernel: audit(1149644702.930:73): avc:  denied  {
nlmsg_relay } for  pid=2458 comm="pppd" scontext=system_u:system_r:pppd_t:s0
tcontext=system_u:system_r:pppd_t:s0 tclass=netlink_audit_socket
Jun  7 11:45:02 zeus kernel: audit(1149644702.930:74): avc:  denied  { read
} for  pid=2458 comm="pppd" scontext=system_u:system_r:pppd_t:s0
tcontext=system_u:system_r:pppd_t:s0 tclass=netlink_audit_socket
Jun  7 11:45:03 zeus pppd[2458]: Connection terminated.
Jun  7 11:45:03 zeus pppd[2458]: Exit.

More information about the selinux mailing list