Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 119911 - IPX_UTILS, NCPFS not working with selinux enabled
Summary: IPX_UTILS, NCPFS not working with selinux enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: 122683
TreeView+ depends on / blocked
 
Reported: 2004-04-03 02:11 UTC by Matthew Almond
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-01-05 13:41:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Matthew Almond 2004-04-03 02:11:10 UTC 
Description of problem:
When selinux is enabled, I cannot use ipx_interface to set up ipx,
thus ncpmount does not work. I have tried all avaliable contexts.  If
I disable selinux, set up the ipx interface, mount a share, then
re-enable selinux, ncp looses the connection and hogs the cpu.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. ipx_interface add -p eth? [frame type]
2. or setenforce 0, ipx_interface..., ncpmount..., setenforce 1
  
Actual results:
ipx_interface: socket: Permission denied

Expected results:
ability to use ncpfs, ipx

Additional info:
I have tried to figure out selinux policies... but have failed else I
would have tried to fix it...
Comment 1 Phil Moors 2004-04-05 16:11:14 UTC 
I tried poking around here as well. ncpfs isn't defined anywhere under
types.
Comment 2 Bill Nottingham 2004-04-06 04:56:31 UTC 
Can you post the SELinux avc messages?
Comment 3 Phil Moors 2004-04-06 16:11:43 UTC 
I can reproduce this in policy-1.9.2-12. What's weird is that there
are absolutely no AVC messages generated in /var/log/messages when
this is denied. Yet setenforce 0 allows the interface to be plumbed.

Phil
Comment 4 Daniel Walsh 2004-04-06 16:14:47 UTC 
Are there any messages when setenforce 0 is specified?
Or any messages for that matter.


Dan
Comment 5 Phil Moors 2004-04-06 16:27:40 UTC 
Ooh. Yes there is:

Apr  6 12:28:56 pm2 kernel: audit(1081268936.471:0): avc:  denied  {
ioctl } for  pid=2663 exe=/sbin/ipx_interface path=socket:[5590] dev=
ino=5590 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:sysadm_t tclass=socket

Also, from /etc/security/selinux/src/policy:
    grep -R ncpfs *
    grep -R ncpumount *
    grep -R ncpmount *
all return nothing.

Phil
Comment 6 Daniel Walsh 2004-12-01 14:07:10 UTC 
I just realized that I lost this bugzilla.  I am looking to fix this
for FC3/RHEL4 but do not have access to and ipx machine.  I have
modified the policy to allow ipx_interface and freinds to work but I
need to add the ncpfs stuff.

Dan
Note You need to log in before you can comment on or make changes to this bug.