Bug 748724
Summary: | No SELinux policies for xl2tpd | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steven Bakker <sb> | |
Component: | xl2tpd | Assignee: | Paul Wouters <pwouters> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 16 | CC: | dwalsh, mgrepl, paullee0, pwouters, wendellcraigbaker | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 833557 (view as bug list) | Environment: | ||
Last Closed: | 2012-07-05 23:33:47 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 833557 |
Description
Steven Bakker
2011-10-25 07:22:16 UTC
The following policy seems to get xl2tpd into something like a working state (it then fails to start pppd due to lack of legacy PTYs in the kernel): -- module mypol 1.0; require { type l2tpd_t; type ptmx_t; type unreserved_port_t; type var_run_t; class file { read unlink }; class chr_file { read write ioctl open }; class udp_socket name_bind; } #============= l2tpd_t ============== allow l2tpd_t ptmx_t:chr_file { read write ioctl open }; allow l2tpd_t unreserved_port_t:udp_socket name_bind; allow l2tpd_t var_run_t:file { read unlink }; -- Scratch that last bit about the kernel. It complains about the legacy PTYs because it is falling back to them. In other words, it cannot open a PTY through the regular interface. Definitely SELinux-related, since it works fine if I turn off SELinux completely. No idea what policy lines are needed here, though. (In reply to comment #0) I have almost exactly the same problem - xl2tpd-1.3.1-1.fc16.i686 Similar setup in Fedora 8 works without problem. Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: Connection established to 192.168.0.98, 1701. Local: 32045, Remote: 1 (ref=0/0). LNS session is 'default' Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_ptmx: unable to open /dev/ptmx to allocate pty Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster: failed to use pts -- using legacy ptys Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_pty: No more free pseudo-tty's Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: start_pppd: unable to allocate pty, abandoning! > Description of problem: > > When SELinux is enabled, xl2tpd fails to run due to insufficient privileges. It > appears there is no SELinux policy shipped with xl2tpd. > > Version-Release number of selected component (if applicable): > > xl2tpd-1.3.1-1.fc16.x86_64 > > How reproducible: > > Always > > Steps to Reproduce: > 1. Start xl2tpd > 2. Try to set up a tunnel > > Actual results: > > Fails (initially even fails to start up daemon), logs in > /var/log/audit/audit.log and /var/log/messages about SELinux blockage. > > Expected results: > > A ppp0 interface. > > Additional info: note there is a policy in fedora, but not in rhel6 Then please open a new bug for RHEL6. dwalsh: has the xl2tpd policy update made it to rhel/epel yet? Not in RHEL, did you open a bug requesting it? I did now, and added selinux policy patches. See: https://bugzilla.redhat.com/show_bug.cgi?id=833557 closing bug as the policy is there now in Fedora |