Bug 2407022
| Summary: | SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | nils-buescher | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 43 | CC: | doug, dwalsh, komusubi, kxra, lvrabec, mmalik, nils-buescher, omosnacek, pkoncity, reavertm, vmojzis, zemakacena, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:9512963ac5a36f02dd1b3c3061b003664eb4773baf8dac2fc85050e81af7b1aa;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | selinux-policy-42.21-1.fc43 | Doc Type: | --- | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2026-01-16 17:42:26 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 2111254 [details]
File: description
Created attachment 2111255 [details]
File: os_info
Upstream SELinux issue: - https://github.com/fedora-selinux/selinux-policy/issues/2259 Pull request: - https://github.com/fedora-selinux/selinux-policy/pull/2317 note: in pull-request review, it mentions the "allow l2tpd_t sysfs_t:file { open read };" line is not required because of the "dev_read_sysfs(l2tpd_t)" line, which is also the correct way to access types from other modules. This issue is preventing Fedora 43 NetworkManager-l2tp users from establishing a L2TP connection. In prior versions of Fedora, xl2tpd was used as the L2TP daemon, but that package has been orphaned. With Fedora 43, kl2tpd is now used for the L2TP daemon, it is part of the go-l2tp package (i.e. golang-github-katalix-l2tp RPM). *** Bug 2406859 has been marked as a duplicate of this bug. *** Is there some workaround? You could use the kl2tpd.te file posted to the upstream selinux-policy issue with the modification maksimsamt mentioned in a comment in that issue: - https://github.com/fedora-selinux/selinux-policy/issues/2259 Then the next steps are: 1. compile the module: checkmodule -M -m -o kl2tpd.mod kl2tpd.te 2. package the module: semodule_package -o kl2tpd.pp -m kl2tpd.mod 3. install the module: sudo semodule -i kl2tpd.pp FEDORA-2026-41e829b906 (selinux-policy-42.21-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-41e829b906 FEDORA-2026-41e829b906 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-41e829b906` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-41e829b906 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2026-41e829b906 (selinux-policy-42.21-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: I tried to connect to a vpn connection using L2TP with IPsec. IPsec itself uses a Pre-Shared key (PSK) for authenication. Prior to the Fedora 43 upgrade, establishing the VPN connection worked without problems. Using the suggested commands from SELinux, to allow access did not help. ausearch -c 'kl2tpd' --raw | audit2allow -M l2tp_vpn semodule -X 300 -i l2tp_vpn.pp SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es kl2tpd standardmäßig erlaubt sein sollte, getopt Zugriff auf Unbekannt netlink_generic_socket zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'kl2tpd' --raw | audit2allow -M my-kl2tpd # semodule -X 300 -i my-kl2tpd.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:system_r:l2tpd_t:s0 Target Objects Unbekannt [ netlink_generic_socket ] Source kl2tpd Source Path kl2tpd Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.14-1.fc43.noarch Local Policy RPM selinux-policy-targeted-42.14-1.fc43.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.17.5-300.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Oct 23 15:35:13 UTC 2025 x86_64 Alert Count 3 First Seen 2025-10-29 10:37:54 CET Last Seen 2025-10-29 10:44:52 CET Local ID 1ebf294d-7de5-4c67-9541-c16bd28777d9 Raw Audit Messages type=AVC msg=audit(1761731092.895:203): avc: denied { getopt } for pid=6385 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=0 Hash: kl2tpd,l2tpd_t,l2tpd_t,netlink_generic_socket,getopt Version-Release number of selected component: selinux-policy-targeted-42.14-1.fc43.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt. package: selinux-policy-targeted-42.14-1.fc43.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.17.5-300.fc43.x86_64 component: selinux-policy