Bug 807734
Summary: | SELinux is preventing /usr/sbin/xl2tpd from read, write access on the chr_file ptmx. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Francisco Miguel Biete <fbiete> |
Component: | l2tpd | Assignee: | Orphan Owner <extras-orphan> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | dkocher, dominick.grift, dwalsh, extras-orphan, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:7f4d9eac01616c2d796acf94b2e7dc0d0c934e116524c444789c9b0ad607eebc | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-14 01:13:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Francisco Miguel Biete
2012-03-28 15:14:44 UTC
Does l2tpd use pseudo terminals? I'm trying to connect to a xl2tp server, Fedora 16 is the client: /etc/xl2tpd/xl2tpd.conf [global] ;empty [lac WorkServer] lns = XXX.XXX.XXX.XXX require chap = yes refuse pap = yes require authentication = yes name = XXXXXXX ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd.client length bit = yes /etc/ppp/options.xl2tpd.client ipcp-accept-local ipcp-accept-remote refuse-eap noccp noauth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock connect-delay 5000 The selinux appears after this: echo "c WorkServer" > /var/run/xl2tpd/l2tp-control I executed, as sugested, to get rid of the problem: grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp After mounting the ipsec tunnel, and executing I get this: Mar 30 17:23:33 localhost xl2tpd[20009]: getPtyMaster_ptmx: unable to open /dev/ptmx to allocate pty Mar 30 17:23:33 localhost xl2tpd[20009]: getPtyMaster: failed to use pts -- using legacy ptys Mar 30 17:23:33 localhost xl2tpd[20009]: getPtyMaster_pty: No more free pseudo-tty's Mar 30 17:23:33 localhost xl2tpd[20009]: start_pppd: unable to allocate pty, abandoning! And again a selinux error: type=AVC msg=audit(1333121013.670:136): avc: denied { open } for pid=20009 comm="xl2tpd" name="ptmx" dev="devtmpfs" ino=10241 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file type=SYSCALL msg=audit(1333121013.670:136): arch=x86_64 syscall=open success=no exit=EACCES a0=413af3 a1=2 a2=ffffffff a3=e items=0 ppid=1 pid=20009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null) Hash: xl2tpd,l2tpd_t,ptmx_t,chr_file,open It seem to be a duplicate of: 748726 https://bugzilla.redhat.com/show_bug.cgi?id=748726 Fixed in selinux-policy-3.10.0-86.fc16 (In reply to comment #6) > Fixed in selinux-policy-3.10.0-86.fc16 Sorry for the delay. # systemctl start xl2tpd.service Produces: May 12 07:08:56 localhost systemd[1]: Cannot add dependency job for unit openswan.service, ignoring: Unit openswan.service failed to load: No such file or directory. See system logs and 'systemctl status openswan.service' for details. May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: setsockopt recvref[30]: Protocol not available May 12 07:08:56 localhost dbus[1127]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) May 12 07:08:56 localhost dbus-daemon[1127]: dbus[1127]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) May 12 07:08:56 localhost kernel: [ 474.593206] PPP generic driver version 2.4.2 May 12 07:08:56 localhost kernel: [ 474.595378] NET: Registered protocol family 24 May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: L2TP kernel support not detected. May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: xl2tpd version xl2tpd-1.3.1 started on localhost.localdomain PID:6460 May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: Forked by Scott Balmos and David Stipp, (C) 2001 May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: Inherited by Jeff McAdams, (C) 2002 May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: Forked again by Xelerance (www.xelerance.com) (C) 2006 May 12 07:08:56 localhost xl2tpd[6460]: xl2tpd[6460]: Listening on IP address 0.0.0.0, port 1701 May 12 07:08:57 localhost dbus[1127]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 12 07:08:57 localhost dbus-daemon[1127]: dbus[1127]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 12 07:08:57 localhost setroubleshoot: Deleting alert a3dbdac6-e742-460c-8a75-cf61427bca08, it is allowed in current policy May 12 07:09:00 localhost setroubleshoot: SELinux is preventing /usr/sbin/xl2tpd from read access on the file modules. For complete SELinux messages. run sealert -l 94160e94-07a2-4ca8-8cae-52202066bce0 ---------------------------------- # LANG=C; sealert -l 94160e94-07a2-4ca8-8cae-52202066bce0 SELinux is preventing /usr/sbin/xl2tpd from read access on the file modules. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xl2tpd should be allowed read access on the modules file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:proc_t:s0 Target Objects modules [ file ] Source xl2tpd Source Path /usr/sbin/xl2tpd Port <Unknown> Host localhost.localdomain Source RPM Packages xl2tpd-1.3.1-5.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-84.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.3.4-3.fc16.x86_64 #1 SMP Thu May 3 14:46:44 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Sat May 12 07:08:56 2012 Last Seen Sat May 12 07:08:56 2012 Local ID 94160e94-07a2-4ca8-8cae-52202066bce0 Raw Audit Messages type=AVC msg=audit(1336799336.300:104): avc: denied { read } for pid=6460 comm="xl2tpd" name="modules" dev="proc" ino=4026532009 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1336799336.300:104): arch=x86_64 syscall=open success=no exit=EACCES a0=417914 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=6460 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null) Hash: xl2tpd,l2tpd_t,proc_t,file,read audit2allow #============= l2tpd_t ============== allow l2tpd_t proc_t:file read; audit2allow -R #============= l2tpd_t ============== allow l2tpd_t proc_t:file read; And trying to connect # echo "c WorkServer" > /var/run/xl2tpd/l2tp-control May 12 07:11:07 localhost xl2tpd[6460]: xl2tpd[6460]: Connecting to host vpnipsec.renr.es, port 1701 May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: Connection established to X.X.X.X, 1701. Local: 50857, Remote: 58383 (ref=0/0). May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: Calling on tunnel 50857 May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: check_control: Received out of order control packet on tunnel 58383 (got 0, expected 1) May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: handle_packet: bad control packet! May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: check_control: Received out of order control packet on tunnel 58383 (got 0, expected 1) May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: handle_packet: bad control packet! May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: Call established with 213.0.95.5, Local: 54616, Remote: 10172, Serial: 1 (ref=0/0) May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: getPtyMaster_ptmx: unable to grantpt() on pty May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: getPtyMaster: failed to use pts -- using legacy ptys May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: getPtyMaster_pty: No more free pseudo-tty's May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: start_pppd: unable to allocate pty, abandoning! May 12 07:11:09 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:09 localhost setroubleshoot: SELinux is preventing /usr/sbin/xl2tpd from ioctl access on the chr_file /dev/ptmx. For complete SELinux messages. run sealert -l cf713ab4-f969-49d7-86a0-f24fd786a035 May 12 07:11:12 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:15 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:18 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:21 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:24 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:27 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:30 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:33 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:11:36 localhost xl2tpd[6460]: xl2tpd[6460]: write_packet: tty is not open yet. May 12 07:12:10 localhost xl2tpd[6460]: xl2tpd[6460]: check_control: Received out of order control packet on tunnel 58383 (got 2, expected 3) May 12 07:12:10 localhost xl2tpd[6460]: xl2tpd[6460]: handle_packet: bad control packet! ====================== # LANG=C; sealert -l cf713ab4-f969-49d7-86a0-f24fd786a035 SELinux is preventing /usr/sbin/xl2tpd from ioctl access on the chr_file /dev/ptmx. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xl2tpd should be allowed ioctl access on the ptmx chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:ptmx_t:s0 Target Objects /dev/ptmx [ chr_file ] Source xl2tpd Source Path /usr/sbin/xl2tpd Port <Unknown> Host localhost.localdomain Source RPM Packages xl2tpd-1.3.1-5.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-84.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.3.4-3.fc16.x86_64 #1 SMP Thu May 3 14:46:44 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Fri Mar 30 17:32:27 2012 Last Seen Sat May 12 07:11:09 2012 Local ID cf713ab4-f969-49d7-86a0-f24fd786a035 Raw Audit Messages type=AVC msg=audit(1336799469.57:105): avc: denied { ioctl } for pid=6460 comm="xl2tpd" path="/dev/ptmx" dev="devtmpfs" ino=1129 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file type=SYSCALL msg=audit(1336799469.57:105): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=5 a1=5401 a2=7fff2b7ac088 a3=0 items=0 ppid=1 pid=6460 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null) Hash: xl2tpd,l2tpd_t,ptmx_t,chr_file,ioctl audit2allow #============= l2tpd_t ============== allow l2tpd_t ptmx_t:chr_file ioctl; audit2allow -R #============= l2tpd_t ============== allow l2tpd_t ptmx_t:chr_file ioctl; (In reply to comment #6) > Fixed in selinux-policy-3.10.0-86.fc16 Sorry, I just missed thne 86 part in "selinux-policy-3.10.0-86.fc16". Updates has selinux-policy-3.10.0-84.fc16 With the 3.10.0-86 I get the alert when starting the xl2tpd.service. But connecting seems possible May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: xl2tpd version xl2tpd-1.3.1 started on localhost.localdomain PID:15901 May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: Forked by Scott Balmos and David Stipp, (C) 2001 May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: Inherited by Jeff McAdams, (C) 2002 May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: Forked again by Xelerance (www.xelerance.com) (C) 2006 May 12 07:28:35 localhost xl2tpd[15901]: xl2tpd[15901]: Listening on IP address 0.0.0.0, port 1701 May 12 07:28:35 localhost setroubleshoot: SELinux is preventing /usr/sbin/xl2tpd from read access on the file modules. For complete SELinux messages. run sealert -l 94160e94-07a2-4ca8-8cae-52202066bce0 sealert -l 94160e94-07a2-4ca8-8cae-52202066bce0 SELinux is preventing /usr/sbin/xl2tpd from read access on the file modules. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xl2tpd should be allowed read access on the modules file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:l2tpd_t:s0 Target Context system_u:object_r:proc_t:s0 Target Objects modules [ file ] Source xl2tpd Source Path /usr/sbin/xl2tpd Port <Unknown> Host localhost.localdomain Source RPM Packages xl2tpd-1.3.1-5.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-86.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.3.4-3.fc16.x86_64 #1 SMP Thu May 3 14:46:44 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Sat May 12 07:08:56 2012 Last Seen Sat May 12 07:28:35 2012 Local ID 94160e94-07a2-4ca8-8cae-52202066bce0 Raw Audit Messages type=AVC msg=audit(1336800515.518:129): avc: denied { read } for pid=15901 comm="xl2tpd" name="modules" dev="proc" ino=4026532009 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1336800515.518:129): arch=x86_64 syscall=open success=no exit=EACCES a0=417914 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=15901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null) Hash: xl2tpd,l2tpd_t,proc_t,file,read audit2allow #============= l2tpd_t ============== allow l2tpd_t proc_t:file read; audit2allow -R #============= l2tpd_t ============== allow l2tpd_t proc_t:file read; I just added this to F17 policy. Has this been fixed in F16 policy? I also notice the same: SELinux is preventing /usr/sbin/xl2tpd from read access on the file modules. with selinux-policy-3.10.0-90.fc16.noarch This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |