Fedora Network 服务启动失败，SeLinux 提示出错

今天用 Fedora Live CD 重装了 Fedora 10，系统网络极不稳定。Network 服务无法启动 ADSL 链接，setroubleshoot browser 提示出错。

Summary:

SELinux is preventing pppd (pppd_t) "write" to ./ppp-ppp0.pid (var_run_t).

Detailed Description:

SELinux is preventing pppd (pppd_t) "write" to ./ppp-ppp0.pid (var_run_t). The
SELinux type var_run_t, is a generic type for all files in the directory and
very few processes (SELinux Domains) are allowed to write to this SELinux type.
This type of denial usual indicates a mislabeled file. By default a file created
in a directory has the gets the context of the parent directory, but SELinux
policy has rules about the creation of directories, that say if a process
running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (./ppp-ppp0.pid) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'./ppp-ppp0.pid'. If the file context does not change from var_run_t, then this
is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v './ppp-ppp0.pid'

Fix Command:

restorecon './ppp-ppp0.pid'

Additional Information:

Source Context                unconfined_u:system_r:pppd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                ./ppp-ppp0.pid [ file ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           ppp-2.4.4-8.fc10
Target RPM Packages          
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.9-159.fc10.i686
                              #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686
Alert Count                   44
First Seen                    Sun 18 Jan 2009 08:29:02 PM CST
Last Seen                     Sun 18 Jan 2009 08:48:43 PM CST
Local ID                      a58a621e-4abf-4dd6-a64c-ad4f45bcae91
Line Numbers                 

Summary:

SELinux is preventing pppd (pppd_t) "write" to ./ppp-ppp0.pid (var_run_t).

Detailed Description:

SELinux is preventing pppd (pppd_t) "write" to ./ppp-ppp0.pid (var_run_t). The
SELinux type var_run_t, is a generic type for all files in the directory and
very few processes (SELinux Domains) are allowed to write to this SELinux type.
This type of denial usual indicates a mislabeled file. By default a file created
in a directory has the gets the context of the parent directory, but SELinux
policy has rules about the creation of directories, that say if a process
running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (./ppp-ppp0.pid) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'./ppp-ppp0.pid'. If the file context does not change from var_run_t, then this
is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v './ppp-ppp0.pid'

Fix Command:

restorecon './ppp-ppp0.pid'

Additional Information:

Source Context                unconfined_u:system_r:pppd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                ./ppp-ppp0.pid [ file ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           ppp-2.4.4-8.fc10
Target RPM Packages          
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.9-159.fc10.i686
                              #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686
Alert Count                   44
First Seen                    Sun 18 Jan 2009 08:29:02 PM CST
Last Seen                     Sun 18 Jan 2009 08:48:43 PM CST
Local ID                      a58a621e-4abf-4dd6-a64c-ad4f45bcae91
Line Numbers                 

Raw Audit Messages           

node=localhost.localdomain type=AVC msg=audit(1232282923.845:185): avc:  denied  { write } for  pid=5856 comm="pppd" name="ppp-ppp0.pid" dev=dm-0 ino=16102 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1232282923.845:185): arch=40000003 syscall=5 success=no exit=-13 a0=b80e8780 a1=241 a2=1b6 a3=240 items=0 ppid=5554 pid=5856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)Raw Audit Messages           

node=localhost.localdomain type=AVC msg=audit(1232282923.845:185): avc:  denied  { write } for  pid=5856 comm="pppd" name="ppp-ppp0.pid" dev=dm-0 ino=16102 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1232282923.845:185): arch=40000003 syscall=5 success=no exit=-13 a0=b80e8780 a1=241 a2=1b6 a3=240 items=0 ppid=5554 pid=5856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)

解决方法：

restorecon -v /var/run/ppp-ppp0.pid
restorecon -v /var/run/pppd2.pid
restorecon -v /var/run/ppp0.pid