1759214 – ptp4l not allowed to use L2 transport

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1759214 - ptp4l not allowed to use L2 transport

Summary: ptp4l not allowed to use L2 transport

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.3
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1884267
TreeView+	depends on / blocked

Reported:	2019-10-07 15:48 UTC by Miroslav Lichvar
Modified:	2020-11-04 01:57 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1759212
Clones:	1884267 (view as bug list)
Environment:
Last Closed:	2020-11-04 01:55:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4528	0	None	None	None	2020-11-04 01:56:19 UTC

Description Miroslav Lichvar 2019-10-07 15:48:21 UTC

Description of problem:
When ptp4l is configured to use the L2 transport, it fails to open the raw socket due to a selinux policy. In the permissive mode I get the following AVCs:

type=AVC msg=audit(1570462452.944:663): avc:  denied  { create } for  pid=3942 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1
type=AVC msg=audit(1570462452.944:664): avc:  denied  { ioctl } for  pid=3942 comm="ptp4l" path="socket:[35717]" dev="sockfs" ino=35717 ioctlcmd=0x8933 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1
type=AVC msg=audit(1570462452.944:665): avc:  denied  { bind } for  pid=3942 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1
type=AVC msg=audit(1570462452.950:666): avc:  denied  { setopt } for  pid=3942 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-20.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. change OPTIONS in /etc/sysconfig/ptp4l to "-i eth0 --network_transport L2"
2. systemctl restart ptp4l
3. check audit log

Actual results:
AVC errors reported in audit log and ptp4l complains in system log
ptp4l[10816]: [2771.015] socket failed: Permission denied
ptp4l[10816]: [2771.015] port 1: INITIALIZING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)

Expected results:
No errors reported

Additional info:

Comment 1 Milos Malik 2019-10-08 09:20:52 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(10/08/2019 05:16:48.121:304) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S 
type=SYSCALL msg=audit(10/08/2019 05:16:48.121:304) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=packet a1=SOCK_RAW a2=unknown-proto(300) a3=0xc items=0 ppid=1 pid=31324 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) 
type=AVC msg=audit(10/08/2019 05:16:48.121:304) : avc:  denied  { create } for  pid=31324 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=0 
----

Comment 2 Milos Malik 2019-10-08 09:22:48 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:331) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S 
type=SYSCALL msg=audit(10/08/2019 05:21:36.009:331) : arch=x86_64 syscall=socket success=yes exit=12 a0=packet a1=SOCK_RAW a2=unknown-proto(300) a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) 
type=AVC msg=audit(10/08/2019 05:21:36.009:331) : avc:  denied  { create } for  pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 
----
type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:332) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S 
type=SYSCALL msg=audit(10/08/2019 05:21:36.009:332) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0xc a1=SIOCGIFINDEX a2=0x7ffec8cbba70 a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) 
type=AVC msg=audit(10/08/2019 05:21:36.009:332) : avc:  denied  { ioctl } for  pid=3772 comm=ptp4l path=socket:[57448] dev="sockfs" ino=57448 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 
----
type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:333) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S 
type=SOCKADDR msg=audit(10/08/2019 05:21:36.009:333) : saddr={ saddr_fam=packet (unsupported) } 
type=SYSCALL msg=audit(10/08/2019 05:21:36.009:333) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x7ffec8cbbad0 a2=0x14 a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) 
type=AVC msg=audit(10/08/2019 05:21:36.009:333) : avc:  denied  { bind } for  pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 
----
type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:334) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S 
type=SYSCALL msg=audit(10/08/2019 05:21:36.009:334) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0xc a1=SOL_SOCKET a2=SO_BINDTODEVICE a3=0x55e5a3d6dbb5 items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) 
type=AVC msg=audit(10/08/2019 05:21:36.009:334) : avc:  denied  { setopt } for  pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 
----

Comment 7 Zdenek Pytela 2020-02-05 10:06:09 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/200

Comment 19 Zdenek Pytela 2020-06-01 11:53:09 UTC

I've submitted a Fedora PR to allow the sys_admin capability:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/254

Comment 20 Lukas Vrabec 2020-06-01 12:05:54 UTC

commit 15b3cef9562733612187b871a1e9bb4dc515dabd (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 1 13:47:25 2020 +0200

    Allow ptp4l_t sys_admin capability to run bpf programs
    
    In ptp4l, setsockopt() with SO_ATTACH_FILTER raises sk_attach_filter()
    running a bpf program, for which the SYS_ADMIN capability is required.

Comment 30 Karrar Fida 2020-09-22 18:31:19 UTC

I would like to request that this bug be released via 8.2.0.4 because it is required for PTP feature to be delivered by NFV team in RHOSP 16.1.3, due for release in December. RHOSP 16.1.x uses RHEL 8.2.

Comment 37 errata-xmlrpc 2020-11-04 01:55:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528

Note You need to log in before you can comment on or make changes to this bug.