Bug 832149
| Summary: | SELinux is preventing /usr/sbin/xl2tpd from 'execute' accesses on the file /usr/bin/kmod. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ZetaFunction <zetafunction11> | ||||
| Component: | xl2tpd | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, eparis, mgrepl, pwouters, roman_romul | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:ae8bc9582787b9abd8454615ebe638044eedb4fd06c1a0d9c24daadbc15c3156 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-07-21 22:49:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Any idea what xl2tpd is trying to do with kmod? Is it trying to load a kernel module? Created attachment 591941 [details]
log/messages
(In reply to comment #1) > Any idea what xl2tpd is trying to do with kmod? Is it trying to load a > kernel module? yes. Paul is this required? Any other way to do this? Not crazy about letting daemons load kernel modules. Yeah, it is trying to modprobe l2tp_ppp and pppol2tp I didn't much like that either. How about if I move it to the initscript? That would be awesome. Please test the package from rawhide which should address this issue. http://koji.fedoraproject.org/koji/buildinfo?buildID=324655 Thanks a lot! no error occurred. Is it using kernel mode? You can test by sending LOTS of traffic and check if xl2tpd is using up any cpu or not. There should also be some messages about using kernel mode in the logs hmm.. I didn't have these modules. FATAL: Module l2tp_ppp not found. FATAL: Module pppol2tp not found. xl2tpd[22057]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp) where to get the modules? The module l2tp_ppp should be in any kernel from about 2.6.21 up or so? The pppol2tp module name was used before it was merged into the mainline kernel tree. On fedora, this module is in: /lib/modules/3.3.4-1.fc16.x86_64/kernel/net/l2tp/l2tp_ppp.ko on rhel/epel, this module is in: /lib/modules/2.6.32-220.17.1.el6.x86_64/kernel/drivers/net/pppol2tp.ko / lib/modules/3.4.2-4.fc17.x86_64/Linux/net/l2tp / - This folder is empty. This is strange.. "/lib/modules/3.4.2-4.fc17.x86_64/kernel/net/l2tp/" * service xl2tpd start Redirecting to /bin/systemctl start xl2tpd.service Job failed. See system journal and 'systemctl status' for details. /var/log/messages: Jun 24 20:17:59 localhost systemd[1]: Cannot add dependency job for unit openswan.service, ignoring: Unit openswan.service failed to load: No such file or directory. See system logs and 'systemctl status openswan.service' for details. Jun 24 20:17:59 localhost systemd[1]: xl2tpd.service: control process exited, code=exited status=1 Jun 24 20:17:59 localhost systemd[1]: Unit xl2tpd.service entered failed state. It's bad idea to use openswan with xl2tpd. Russian VPN L2TP often don't need IPSec. It's necessary to add in xl2tpd.spec: Requires: kernel-modules-extra. I will remove the broken dep on openswan.service (should have been ipsec.service but you are right some people use it without openswan) I don't see any kernel-modules-extra package in Fedora or RHEL/EPEL ? kernel-modules-extra is in F17 and F18. Don't know if it is a subpackage in 16... You won't find it in RHEL. l2tp_ppp, pppol2tp modules are in kernel-modules-extra in F17 and higher. That's why xl2tpd wants kernel-modules-extra and doesn't work without l2tp_ppp, pppol2tp modules. Nothing is clear. I have installed the kernel-modules-extra package, but the modules l2tp_ppp and pppol2tp is not found in those directories. How to enable these modules? I've build 1.3.1-8 in rawhide that addresses these issues http://koji.fedoraproject.org/koji/taskinfo?taskID=4195424 ZetaFunction: for me, the l2tp_ppp module is part of kernel-modules-extra on F17 and rawhide. The pppol2tp is the old name, and we only try to load that one if we don't find l2tp_ppp It's bad idea to move l2tp_ppp/pppol2tp into kernel-modules-extra, because l2tp_ppp/pppol2tp modules are base for Internet, that's why l2tp_ppp/pppol2tp must be in distribution by default. (In reply to comment #20) > Nothing is clear. I have installed the kernel-modules-extra package, but the > modules l2tp_ppp and pppol2tp is not found in those directories. How to > enable these modules? I only restarted system. But I believe that xl2tpd from ZetaFunction did not find l2tp_ppp/pppol2tp, because It's difficult to instal kernel-modules-extra with version of kernel. No problem to install any version of kernel-modules-extra, but it's will not work, because user must install identical version. It's big problem. xl2tpd-1.3.1-9.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-9.fc17 xl2tpd-1.3.1-7.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-7.fc16 Don't work. /etc/rc.d/init.d/xl2tpd - no such file or directory. Package xl2tpd-1.3.1-9.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xl2tpd-1.3.1-9.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10527/xl2tpd-1.3.1-9.fc17 then log in and leave karma (feedback). In spec: Requires: ppp >= 2.4.5-18, kernel-modules-extra Where are kernel-PAE-modules-extra etc.? xl2tpd-1.3.1-9.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. xl2tpd-1.3.1-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. xl2tpd-1.3.1-5.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-5.el6 |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.0-1.fc17.x86_64 time: Thu 14 Jun 2012 07:50:55 PM MSK description: :SELinux is preventing /usr/sbin/xl2tpd from 'execute' accesses on the file /usr/bin/kmod. : :***** Plugin leaks (86.2 confidence) suggests ****************************** : :If you want to ignore xl2tpd trying to execute access the kmod file, because you believe it should not need this access. :Then you should report this as a bug. :You can generate a local policy module to dontaudit this access. :Do :# grep /usr/sbin/xl2tpd /var/log/audit/audit.log | audit2allow -D -M mypol :# semodule -i mypol.pp : :***** Plugin catchall (14.7 confidence) suggests *************************** : :If you believe that xl2tpd should be allowed execute access on the kmod file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:l2tpd_t:s0 :Target Context system_u:object_r:insmod_exec_t:s0 :Target Objects /usr/bin/kmod [ file ] :Source xl2tpd :Source Path /usr/sbin/xl2tpd :Port <Unknown> :Host (removed) :Source RPM Packages xl2tpd-1.3.1-5.fc17.x86_64 :Target RPM Packages kmod-7-2.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-130.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 : 06:35:17 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen Thu 14 Jun 2012 07:46:28 PM MSK :Last Seen Thu 14 Jun 2012 07:46:28 PM MSK :Local ID 80c96280-7c22-401a-aaa1-2f60c1c56d66 : :Raw Audit Messages :type=AVC msg=audit(1339688788.85:58): avc: denied { execute } for pid=1435 comm="xl2tpd" name="kmod" dev="sda7" ino=9671 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file : : :type=SYSCALL msg=audit(1339688788.85:58): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff97078774 a1=7fff97078870 a2=7fff9707ad60 a3=20 items=0 ppid=1433 pid=1435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null) : :Hash: xl2tpd,l2tpd_t,insmod_exec_t,file,execute : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :