Bug 850015
Summary: | SELinux prevents /usr/sbin/xl2tpd from execute access on the file /usr/sbin/modprobe | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | dwalsh, mgrepl, mmalik, pwouters |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 13:22:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2012-08-21 13:17:42 UTC
Actual results (in permissive mode): ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.908:515): item=1 name=(null) inode=3670027 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1345554984.908:515): item=0 name="/sbin/modprobe" inode=3683906 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:insmod_exec_t:s0 type=CWD msg=audit(1345554984.908:515): cwd="/" type=EXECVE msg=audit(1345554984.908:515): argc=3 a0="modprobe" a1="-q" a2="l2tp_ppp" type=SYSCALL msg=audit(1345554984.908:515): arch=c000003e syscall=59 success=yes exit=0 a0=7fff528e6d98 a1=7fff528e6e90 a2=7fff528e9388 a3=32fd486d60 items=2 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.908:515): avc: denied { execute_no_trans } for pid=7123 comm="xl2tpd" path="/usr/bin/kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=AVC msg=audit(1345554984.908:515): avc: denied { read open } for pid=7123 comm="xl2tpd" path="/usr/bin/kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=AVC msg=audit(1345554984.908:515): avc: denied { execute } for pid=7123 comm="xl2tpd" name="kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:516): item=0 name="/etc/modprobe.d" inode=393222 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0 type=CWD msg=audit(1345554984.909:516): cwd="/" type=SYSCALL msg=audit(1345554984.909:516): arch=c000003e syscall=4 success=yes exit=0 a0=32ff00f86f a1=7ffffb3b1e40 a2=7ffffb3b1e40 a3=7ffffb3b1af0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:516): avc: denied { getattr } for pid=7123 comm="modprobe" path="/etc/modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:517): item=0 name="/etc/modprobe.d" inode=393222 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0 type=CWD msg=audit(1345554984.909:517): cwd="/" type=SYSCALL msg=audit(1345554984.909:517): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=32ff00f86f a2=90800 a3=0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:517): avc: denied { open } for pid=7123 comm="modprobe" path="/etc/modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=AVC msg=audit(1345554984.909:517): avc: denied { read } for pid=7123 comm="modprobe" name="modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:518): item=0 name="openfwwf.conf" inode=393605 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0 type=CWD msg=audit(1345554984.909:518): cwd="/" type=SYSCALL msg=audit(1345554984.909:518): arch=c000003e syscall=262 success=yes exit=0 a0=4 a1=7ffffb3b1f73 a2=7ffffb3b1ed0 a3=0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:518): avc: denied { getattr } for pid=7123 comm="modprobe" path="/etc/modprobe.d/openfwwf.conf" dev="sda4" ino=393605 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1345554984.909:518): avc: denied { search } for pid=7123 comm="modprobe" name="modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:519): item=0 name="/etc/modprobe.d/blacklist.conf" inode=393317 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0 type=CWD msg=audit(1345554984.909:519): cwd="/" type=SYSCALL msg=audit(1345554984.909:519): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1f60 a1=80000 a2=7ffffb3b1f7e a3=7ffffb3b1af0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:519): avc: denied { open } for pid=7123 comm="modprobe" path="/etc/modprobe.d/blacklist.conf" dev="sda4" ino=393317 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1345554984.909:519): avc: denied { read } for pid=7123 comm="modprobe" name="blacklist.conf" dev="sda4" ino=393317 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:520): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" inode=3935121 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0 type=CWD msg=audit(1345554984.909:520): cwd="/" type=SYSCALL msg=audit(1345554984.909:520): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1fd0 a1=80000 a2=12aa220 a3=20 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:520): avc: denied { open } for pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1345554984.909:520): avc: denied { read } for pid=7123 comm="modprobe" name="modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1345554984.909:520): avc: denied { search } for pid=7123 comm="modprobe" name="modules" dev="sda4" ino=3670040 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir ---- time->Tue Aug 21 15:16:24 2012 type=SYSCALL msg=audit(1345554984.909:521): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffffb3b1ef0 a2=7ffffb3b1ef0 a3=7ffffb3b1c70 items=0 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:521): avc: denied { getattr } for pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:522): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_netlink.ko" inode=5115365 dev=08:04 mode=0100744 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_object_t:s0 type=CWD msg=audit(1345554984.909:522): cwd="/" type=SYSCALL msg=audit(1345554984.909:522): arch=c000003e syscall=4 success=yes exit=0 a0=12abde0 a1=7ffffb3afdb0 a2=7ffffb3afdb0 a3=2e6b6e696c74656e items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:522): avc: denied { getattr } for pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_netlink.ko" dev="sda4" ino=5115365 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.909:523): item=0 name="/sys/module/slhc/initstate" inode=13845 dev=00:0f mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 type=CWD msg=audit(1345554984.909:523): cwd="/" type=SYSCALL msg=audit(1345554984.909:523): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1e90 a1=80000 a2=7ffffb3b1eaa a3=32ff010328 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.909:523): avc: denied { open } for pid=7123 comm="modprobe" path="/sys/module/slhc/initstate" dev="sysfs" ino=13845 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1345554984.909:523): avc: denied { read } for pid=7123 comm="modprobe" name="initstate" dev="sysfs" ino=13845 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Tue Aug 21 15:16:24 2012 type=PATH msg=audit(1345554984.910:524): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_core.ko" inode=5115360 dev=08:04 mode=0100744 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_object_t:s0 type=CWD msg=audit(1345554984.910:524): cwd="/" type=SYSCALL msg=audit(1345554984.910:524): arch=c000003e syscall=2 success=yes exit=4 a0=12abf50 a1=80000 a2=38 a3=38 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null) type=AVC msg=audit(1345554984.910:524): avc: denied { open } for pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_core.ko" dev="sda4" ino=5115360 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1345554984.910:524): avc: denied { read } for pid=7123 comm="modprobe" name="l2tp_core.ko" dev="sda4" ino=5115360 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file ---- Is l2tpd supposed to be able to load kernel modules? > Is l2tpd supposed to be able to load kernel modules?
I would say so. Paul, what do you think about it?
Actually I think paul had said something about moving this out of the app and into the init script or having the modules loaded via some other mechanism. How come xl2tpd is not on the list of RHEL7 packages so I could redefine this as an xl2tpd bug? The SElinux patch was waitong on a newer ppp package to address https://bugzilla.redhat.com/show_bug.cgi?id=815128 but it seems it was decided to not upgrade the ppp package for this despite a pretty simple Makefile patch fixing the issue and avoiding a kernel crasher. I'll push it through now with the SElinux fix and the ppp requirement lowered, but if someone could nudge the ppp issue to avoid both the kernel crasher and to make kernel L2TP work, that would be great. xl2tpd is not part of RHEL, just EPEL. IMHO, it should be as it is the easiest way to build a smiple VPN server that will work on most OSes and mobile devices. Milos, are you still getting it? I don't see any AVCs when following packages are installed. Even if I unload l2tp* kernel modules before running the TC. selinux-policy-doc-3.12.1-68.el7.noarch selinux-policy-mls-3.12.1-68.el7.noarch selinux-policy-devel-3.12.1-68.el7.noarch selinux-policy-minimum-3.12.1-68.el7.noarch selinux-policy-3.12.1-68.el7.noarch selinux-policy-targeted-3.12.1-68.el7.noarch xl2tpd-1.3.1-13.fc18.x86_64 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |