Bug 891630

Summary: SELinux is preventing /usr/libexec/nm-l2tp-service from 'execute' accesses on the file /usr/sbin/xl2tpd.
Product: [Fedora] Fedora Reporter: Айфф <jamesbdonovan>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:95a7d551b7e4538ef57d6c56653cd91d6501c36fdd23bcf8c8d5e2be72a63ab1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-25 07:22:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Айфф 2013-01-03 08:11:05 EST
Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.x86_64
Comment 1 Айфф 2013-01-03 08:11:09 EST
Created attachment 672077 [details]
File: type
Comment 2 Айфф 2013-01-03 08:11:12 EST
Created attachment 672078 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2013-01-03 16:33:31 EST
Your missing the AVC report?
Comment 4 Айфф 2013-01-04 14:43:25 EST
SELinux is preventing /usr/libexec/nm-l2tp-service from execute access on the file /usr/sbin/xl2tpd.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If вы хотите игнорировать попытки доступа nm-l2tp-service (execute)  к xl2tpd file, так как вы считаете, что в таком доступе нет необходимости.
Then рекомендуется создать отчет об ошибке.
Чтобы отменить аудит подобного доступа, можно создать локальный модуль политики.
Do
# grep /usr/libexec/nm-l2tp-service /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If вы считаете, что nm-l2tp-service следует разрешить доступ execute к xl2tpd file по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep nm-l2tp-service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:l2tpd_exec_t:s0
Target Objects                /usr/sbin/xl2tpd [ file ]
Source                        nm-l2tp-service
Source Path                   /usr/libexec/nm-l2tp-service
Port                          <Неизвестно>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-l2tp-0.9.6-3.fc17.x86_64
Target RPM Packages           xl2tpd-1.3.1-9.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.10-2.fc17.x86_64
                              #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2013-01-04 22:39:10 FET
Last Seen                     2013-01-04 22:39:10 FET
Local ID                      debb515e-5136-457c-a3a3-79b6fae8de1d

Raw Audit Messages
type=AVC msg=audit(1357328350.559:136): avc:  denied  { execute } for  pid=8469 comm="nm-l2tp-service" name="xl2tpd" dev="dm-2" ino=58922 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:l2tpd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1357328350.559:136): arch=x86_64 syscall=execve success=no exit=EACCES a0=17ec420 a1=17ec4e0 a2=7fff2aff73b8 a3=8 items=0 ppid=8467 pid=8469 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-l2tp-service exe=/usr/libexec/nm-l2tp-service subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: nm-l2tp-service,NetworkManager_t,l2tpd_exec_t,file,execute

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t l2tpd_exec_t:file execute;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t l2tpd_exec_t:file execute;
Comment 5 Miroslav Grepl 2013-01-07 06:12:18 EST
*** Bug 891627 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2013-01-07 06:18:29 EST
Added to F17.

commit 348d631766fd95f638080de61bd3b9e331abda11
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 7 12:12:08 2013 +0100

    Allow NM to transition to l2tpd
Comment 7 Miroslav Grepl 2013-01-18 08:33:27 EST
*** Bug 901525 has been marked as a duplicate of this bug. ***
Comment 8 Айфф 2013-01-26 08:50:26 EST
Пытался подключится к интернету при помощи NetworkManager-l2tp.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Fedora Update System 2013-02-04 17:03:49 EST
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Comment 10 Fedora Update System 2013-02-05 11:59:29 EST
Package selinux-policy-3.10.0-167.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-02-12 00:08:03 EST
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Айфф 2013-03-06 12:24:34 EST
Проблема повторилась в Fedora 18.
Установлен selinux-policy-3.11.1-82.fc18.