Bug 1566096 - SELinux blocking PPPoL2TP: "Given FD for PPPoL2TP socket invalid"
Summary: SELinux blocking PPPoL2TP: "Given FD for PPPoL2TP socket invalid"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-11 14:11 UTC by Erik Indresovde
Modified: 2018-04-19 22:07 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.1-21.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1566271 (view as bug list)
Environment:
Last Closed: 2018-04-19 22:07:35 UTC
Type: Bug

Attachments (Terms of Use)

Description Erik Indresovde 2018-04-11 14:11:54 UTC 
Installed ppp-2.4.7-21.fc28 after having this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1564459

This solved original issue, but now SELinux is blocking the connection. Setting SELinux to permissive gets rid of the error and connection can be established. 


april 09 18:46:17 fedora28 pppd[4915]: Plugin pppol2tp.so loaded.
april 09 18:46:17 fedora28 pppd[4915]: Given FD for PPPoL2TP socket invalid (Socket operation on non-socket)
april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: child_handler : pppd exited for call 37794 with code 1
april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: call_close: Call 18324 to 217.170.203.128 disconnected
april 09 18:46:17 fedora28 pppd[4915]: Exit.
april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
april 09 18:46:17 fedora28 NetworkManager[945]:  (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
april 09 18:46:20 fedora28 NetworkManager[945]:  (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
april 09 18:46:30 fedora28 NetworkManager[945]:  (ref=0/0)xl2tpd[4914]: death_handler: Fatal signal 15 received
april 09 18:46:30 fedora28 NetworkManager[945]: xl2tpd[4914]: Connection 21741 closed to 217.170.203.128, port 1701 (Server closing)

SEAlert is not giving any notification, but I found the following in ausearch:

type=AVC msg=audit(1523314447.297:358): avc:  denied  { getattr } for  pid=6450 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
type=AVC msg=audit(1523314447.297:359): avc:  denied  { getopt } for  pid=6450 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
type=AVC msg=audit(1523314447.318:360): avc:  denied  { ioctl } for  pid=6450 comm="pppd" path="socket:[77543]" dev="sockfs" ino=77543 ioctlcmd=0x7437 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1

I made some attempts of adding a local policy, but unable to make it work. Any suggestions on how to add a workaround?
Comment 1 Fedora Update System 2018-04-16 11:35:05 UTC 
selinux-policy-3.14.1-21.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3
Comment 2 Fedora Update System 2018-04-17 03:04:08 UTC 
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3
Comment 3 Erik Indresovde 2018-04-17 23:20:52 UTC 
Problem solved with selinux-policy-3.14.1-21.fc28.
Comment 4 Fedora Update System 2018-04-19 22:07:35 UTC 
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.