| Summary: | No SELinux policies for xl2tpd | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steven Bakker <sb> | |
| Component: | xl2tpd | Assignee: | Paul Wouters <pwouters> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 16 | CC: | dwalsh, mgrepl, paullee0, pwouters, wendellcraigbaker | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 833557 (view as bug list) | Environment: | ||
| Last Closed: | 2012-07-05 23:33:47 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 833557 | |||
|
Description
Steven Bakker
2011-10-25 07:22:16 UTC
The following policy seems to get xl2tpd into something like a working state (it then fails to start pppd due to lack of legacy PTYs in the kernel):
--
module mypol 1.0;
require {
type l2tpd_t;
type ptmx_t;
type unreserved_port_t;
type var_run_t;
class file { read unlink };
class chr_file { read write ioctl open };
class udp_socket name_bind;
}
#============= l2tpd_t ==============
allow l2tpd_t ptmx_t:chr_file { read write ioctl open };
allow l2tpd_t unreserved_port_t:udp_socket name_bind;
allow l2tpd_t var_run_t:file { read unlink };
--
Scratch that last bit about the kernel. It complains about the legacy PTYs because it is falling back to them. In other words, it cannot open a PTY through the regular interface. Definitely SELinux-related, since it works fine if I turn off SELinux completely. No idea what policy lines are needed here, though. (In reply to comment #0) I have almost exactly the same problem - xl2tpd-1.3.1-1.fc16.i686 Similar setup in Fedora 8 works without problem. Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: Connection established to 192.168.0.98, 1701. Local: 32045, Remote: 1 (ref=0/0). LNS session is 'default' Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_ptmx: unable to open /dev/ptmx to allocate pty Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster: failed to use pts -- using legacy ptys Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_pty: No more free pseudo-tty's Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: start_pppd: unable to allocate pty, abandoning! > Description of problem: > > When SELinux is enabled, xl2tpd fails to run due to insufficient privileges. It > appears there is no SELinux policy shipped with xl2tpd. > > Version-Release number of selected component (if applicable): > > xl2tpd-1.3.1-1.fc16.x86_64 > > How reproducible: > > Always > > Steps to Reproduce: > 1. Start xl2tpd > 2. Try to set up a tunnel > > Actual results: > > Fails (initially even fails to start up daemon), logs in > /var/log/audit/audit.log and /var/log/messages about SELinux blockage. > > Expected results: > > A ppp0 interface. > > Additional info: note there is a policy in fedora, but not in rhel6 Then please open a new bug for RHEL6. dwalsh: has the xl2tpd policy update made it to rhel/epel yet? Not in RHEL, did you open a bug requesting it? I did now, and added selinux policy patches. See: https://bugzilla.redhat.com/show_bug.cgi?id=833557 closing bug as the policy is there now in Fedora |