On Thu, Mar 18, 2010 at 6:05 PM, Aleksey Tsalolikhin <atsaloli.tech at gmail.com> wrote: > CentOS release 5.4 (Final) > > I run pppd on this system, it accepts dial-in connections, logs people > in over ssh/sftp. > > I had selinux disabled on this system originally, but I recently > enabled it, and selinux > is blocking this pppd service. > > "audit2allow -M" has generated the following policy based on AVC > denial messages: > > > module fixdialinserver 1.0; > > require { > type pppd_t; > type shadow_t; > type chkpwd_exec_t; > class file { read execute }; > class netlink_audit_socket create; > } > > #============= pppd_t ============== > allow pppd_t chkpwd_exec_t:file execute; > allow pppd_t self:netlink_audit_socket create; > allow pppd_t shadow_t:file read; > > > However, I am unable to load this module due to conflict with another policy: > > # semodule -i fixdialinserver.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > pppd_t shadow_t:file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > # > > Is there an seboolean I can tweak to allow me to load this policy? I used "getsebool -a |grep ppp" to find and enable the following three selinux booleans: pppd_can_insmod --> on pppd_disable_trans --> on pppd_for_user --> on However pppd still does not work and policy still fails to load. Any suggestions? Thanks, Aleksey