On Thu, Mar 18, 2010 at 6:05 PM, Aleksey Tsalolikhin atsaloli.tech@gmail.com wrote:

CentOS release 5.4 (Final)

I run pppd on this system, it accepts dial-in connections, logs people in over ssh/sftp.

I had selinux disabled on this system originally, but I recently enabled it, and selinux is blocking this pppd service.

"audit2allow -M" has generated the following policy based on AVC denial messages:

module fixdialinserver 1.0;

require {        type pppd_t;        type shadow_t;        type chkpwd_exec_t;        class file { read execute };        class netlink_audit_socket create; }

#============= pppd_t ============== allow pppd_t chkpwd_exec_t:file execute; allow pppd_t self:netlink_audit_socket create; allow pppd_t shadow_t:file read;

However, I am unable to load this module due to conflict with another policy:

# semodule -i fixdialinserver.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow pppd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule:  Failed! #

Is there an seboolean I can tweak to allow me to load this policy?

I used "getsebool -a |grep ppp" to find and enable the following three selinux booleans:

pppd_can_insmod --> on pppd_disable_trans --> on pppd_for_user --> on

However pppd still does not work and policy still fails to load.

Any suggestions?

Thanks, Aleksey