Bug 850015

Summary: SELinux prevents /usr/sbin/xl2tpd from execute access on the file /usr/sbin/modprobe
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dwalsh, mgrepl, mmalik, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:22:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2012-08-21 13:17:42 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.11.1-6.el7.noarch
selinux-policy-doc-3.11.1-6.el7.noarch
selinux-policy-devel-3.11.1-6.el7.noarch
selinux-policy-3.11.1-6.el7.noarch
selinux-policy-targeted-3.11.1-6.el7.noarch
xl2tpd-1.3.1-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
# service xl2tpd start
# service xl2tpd stop
# ausearch -m avc -m SELINUX_ERR -ts recent
  
Actual results (in enforcing mode):
----
time->Tue Aug 21 15:02:35 2012
type=PATH msg=audit(1345554155.495:497): item=0 name="/sbin/modprobe" inode=3683906 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:insmod_exec_t:s0
type=CWD msg=audit(1345554155.495:497):  cwd="/"
type=SYSCALL msg=audit(1345554155.495:497): arch=c000003e syscall=59 success=no exit=-13 a0=7fff7a471b28 a1=7fff7a471c20 a2=7fff7a474118 a3=32fd486d60 items=1 ppid=6610 pid=6612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xl2tpd" exe="/usr/sbin/xl2tpd" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554155.495:497): avc:  denied  { execute } for  pid=6612 comm="xl2tpd" name="kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2012-08-21 13:22:10 UTC 
Actual results (in permissive mode):
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.908:515): item=1 name=(null) inode=3670027 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1345554984.908:515): item=0 name="/sbin/modprobe" inode=3683906 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:insmod_exec_t:s0
type=CWD msg=audit(1345554984.908:515):  cwd="/"
type=EXECVE msg=audit(1345554984.908:515): argc=3 a0="modprobe" a1="-q" a2="l2tp_ppp"
type=SYSCALL msg=audit(1345554984.908:515): arch=c000003e syscall=59 success=yes exit=0 a0=7fff528e6d98 a1=7fff528e6e90 a2=7fff528e9388 a3=32fd486d60 items=2 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.908:515): avc:  denied  { execute_no_trans } for  pid=7123 comm="xl2tpd" path="/usr/bin/kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1345554984.908:515): avc:  denied  { read open } for  pid=7123 comm="xl2tpd" path="/usr/bin/kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1345554984.908:515): avc:  denied  { execute } for  pid=7123 comm="xl2tpd" name="kmod" dev="sda4" ino=3683906 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:516): item=0 name="/etc/modprobe.d" inode=393222 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0
type=CWD msg=audit(1345554984.909:516):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:516): arch=c000003e syscall=4 success=yes exit=0 a0=32ff00f86f a1=7ffffb3b1e40 a2=7ffffb3b1e40 a3=7ffffb3b1af0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:516): avc:  denied  { getattr } for  pid=7123 comm="modprobe" path="/etc/modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:517): item=0 name="/etc/modprobe.d" inode=393222 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0
type=CWD msg=audit(1345554984.909:517):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:517): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=32ff00f86f a2=90800 a3=0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:517): avc:  denied  { open } for  pid=7123 comm="modprobe" path="/etc/modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1345554984.909:517): avc:  denied  { read } for  pid=7123 comm="modprobe" name="modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:518): item=0 name="openfwwf.conf" inode=393605 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0
type=CWD msg=audit(1345554984.909:518):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:518): arch=c000003e syscall=262 success=yes exit=0 a0=4 a1=7ffffb3b1f73 a2=7ffffb3b1ed0 a3=0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:518): avc:  denied  { getattr } for  pid=7123 comm="modprobe" path="/etc/modprobe.d/openfwwf.conf" dev="sda4" ino=393605 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1345554984.909:518): avc:  denied  { search } for  pid=7123 comm="modprobe" name="modprobe.d" dev="sda4" ino=393222 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:519): item=0 name="/etc/modprobe.d/blacklist.conf" inode=393317 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_conf_t:s0
type=CWD msg=audit(1345554984.909:519):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:519): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1f60 a1=80000 a2=7ffffb3b1f7e a3=7ffffb3b1af0 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:519): avc:  denied  { open } for  pid=7123 comm="modprobe" path="/etc/modprobe.d/blacklist.conf" dev="sda4" ino=393317 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1345554984.909:519): avc:  denied  { read } for  pid=7123 comm="modprobe" name="blacklist.conf" dev="sda4" ino=393317 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:520): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" inode=3935121 dev=08:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0
type=CWD msg=audit(1345554984.909:520):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:520): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1fd0 a1=80000 a2=12aa220 a3=20 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:520): avc:  denied  { open } for  pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1345554984.909:520): avc:  denied  { read } for  pid=7123 comm="modprobe" name="modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1345554984.909:520): avc:  denied  { search } for  pid=7123 comm="modprobe" name="modules" dev="sda4" ino=3670040 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
----
time->Tue Aug 21 15:16:24 2012
type=SYSCALL msg=audit(1345554984.909:521): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffffb3b1ef0 a2=7ffffb3b1ef0 a3=7ffffb3b1c70 items=0 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:521): avc:  denied  { getattr } for  pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/modules.dep.bin" dev="sda4" ino=3935121 scontext=system_u:system_r:l2tpd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:522): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_netlink.ko" inode=5115365 dev=08:04 mode=0100744 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_object_t:s0
type=CWD msg=audit(1345554984.909:522):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:522): arch=c000003e syscall=4 success=yes exit=0 a0=12abde0 a1=7ffffb3afdb0 a2=7ffffb3afdb0 a3=2e6b6e696c74656e items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:522): avc:  denied  { getattr } for  pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_netlink.ko" dev="sda4" ino=5115365 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.909:523): item=0 name="/sys/module/slhc/initstate" inode=13845 dev=00:0f mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0
type=CWD msg=audit(1345554984.909:523):  cwd="/"
type=SYSCALL msg=audit(1345554984.909:523): arch=c000003e syscall=2 success=yes exit=4 a0=7ffffb3b1e90 a1=80000 a2=7ffffb3b1eaa a3=32ff010328 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.909:523): avc:  denied  { open } for  pid=7123 comm="modprobe" path="/sys/module/slhc/initstate" dev="sysfs" ino=13845 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1345554984.909:523): avc:  denied  { read } for  pid=7123 comm="modprobe" name="initstate" dev="sysfs" ino=13845 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Tue Aug 21 15:16:24 2012
type=PATH msg=audit(1345554984.910:524): item=0 name="/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_core.ko" inode=5115360 dev=08:04 mode=0100744 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:modules_object_t:s0
type=CWD msg=audit(1345554984.910:524):  cwd="/"
type=SYSCALL msg=audit(1345554984.910:524): arch=c000003e syscall=2 success=yes exit=4 a0=12abf50 a1=80000 a2=38 a3=38 items=1 ppid=7122 pid=7123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:l2tpd_t:s0 key=(null)
type=AVC msg=audit(1345554984.910:524): avc:  denied  { open } for  pid=7123 comm="modprobe" path="/usr/lib/modules/3.5.0-0.24.el7.x86_64/kernel/net/l2tp/l2tp_core.ko" dev="sda4" ino=5115360 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1345554984.910:524): avc:  denied  { read } for  pid=7123 comm="modprobe" name="l2tp_core.ko" dev="sda4" ino=5115360 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
----
Comment 2 Daniel Walsh 2012-09-17 16:23:36 UTC 
Is l2tpd supposed to be able to load kernel modules?
Comment 3 Milos Malik 2012-09-18 09:30:14 UTC 
> Is l2tpd supposed to be able to load kernel modules?

I would say so. Paul, what do you think about it?
Comment 4 Daniel Walsh 2012-09-18 12:43:00 UTC 
Actually I think paul had said something about moving this out of the app and into the init script or having the modules loaded via some other mechanism.

How come xl2tpd is not on the list of RHEL7 packages so I could redefine this as an xl2tpd bug?
Comment 5 Paul Wouters 2012-09-18 18:45:48 UTC 
The SElinux patch was waitong on a newer ppp package to address https://bugzilla.redhat.com/show_bug.cgi?id=815128

but it seems it was decided to not upgrade the ppp package for this despite a pretty simple Makefile patch fixing the issue and avoiding a kernel crasher.

I'll push it through now with the SElinux fix and the ppp requirement lowered, but if someone could nudge the ppp issue to avoid both the kernel crasher and to make kernel L2TP work, that would be great.


xl2tpd is not part of RHEL, just EPEL. IMHO, it should be as it is the easiest way to build a smiple VPN server that will work on most OSes and mobile devices.
Comment 7 Miroslav Grepl 2013-07-30 21:08:01 UTC 
Milos,
are you still getting it?
Comment 8 Milos Malik 2013-07-31 08:33:13 UTC 
I don't see any AVCs when following packages are installed. Even if I unload l2tp* kernel modules before running the TC.

selinux-policy-doc-3.12.1-68.el7.noarch
selinux-policy-mls-3.12.1-68.el7.noarch
selinux-policy-devel-3.12.1-68.el7.noarch
selinux-policy-minimum-3.12.1-68.el7.noarch
selinux-policy-3.12.1-68.el7.noarch
selinux-policy-targeted-3.12.1-68.el7.noarch
xl2tpd-1.3.1-13.fc18.x86_64
Comment 10 Ludek Smid 2014-06-13 13:22:27 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.