2407022 – SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt.

Bug 2407022 - SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt.

Summary: SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_so...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	43
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:9512963ac5a36f02dd1b3c3061b...
Duplicates (1):	2406859 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-29 09:51 UTC by nils-buescher
Modified:	2025-11-12 03:17 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.97 KB, text/plain) 2025-10-29 09:51 UTC, nils-buescher	no flags	Details
File: os_info (699 bytes, text/plain) 2025-10-29 09:51 UTC, nils-buescher	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy issues 2259	0	None	open	kl2tpd denials when running under NetworkManager-l2tp	2025-10-30 21:23:17 UTC

Description nils-buescher 2025-10-29 09:51:24 UTC

Description of problem:
I tried to connect to a vpn connection using L2TP with IPsec. IPsec itself uses a Pre-Shared key (PSK) for authenication.
Prior to the Fedora 43 upgrade, establishing the VPN connection worked without problems.
Using the suggested commands from SELinux, to allow access did not help.

ausearch -c 'kl2tpd' --raw | audit2allow -M l2tp_vpn
semodule -X 300 -i l2tp_vpn.pp
SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es kl2tpd standardmäßig erlaubt sein sollte, getopt Zugriff auf Unbekannt netlink_generic_socket zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'kl2tpd' --raw | audit2allow -M my-kl2tpd
# semodule -X 300 -i my-kl2tpd.pp

Additional Information:
Source Context                system_u:system_r:l2tpd_t:s0
Target Context                system_u:system_r:l2tpd_t:s0
Target Objects                Unbekannt [ netlink_generic_socket ]
Source                        kl2tpd
Source Path                   kl2tpd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.14-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.14-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.17.5-300.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Oct 23 15:35:13 UTC 2025
                              x86_64
Alert Count                   3
First Seen                    2025-10-29 10:37:54 CET
Last Seen                     2025-10-29 10:44:52 CET
Local ID                      1ebf294d-7de5-4c67-9541-c16bd28777d9

Raw Audit Messages
type=AVC msg=audit(1761731092.895:203): avc:  denied  { getopt } for  pid=6385 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=0


Hash: kl2tpd,l2tpd_t,l2tpd_t,netlink_generic_socket,getopt

Version-Release number of selected component:
selinux-policy-targeted-42.14-1.fc43.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing kl2tpd from 'getopt' accesses on the netlink_generic_socket Unbekannt.
package:        selinux-policy-targeted-42.14-1.fc43.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.17.5-300.fc43.x86_64
component:      selinux-policy

Comment 1 nils-buescher 2025-10-29 09:51:27 UTC

Created attachment 2111254 [details]
File: description

Comment 2 nils-buescher 2025-10-29 09:51:28 UTC

Created attachment 2111255 [details]
File: os_info

Comment 3 Douglas Kosovic 2025-10-30 21:08:14 UTC

Upstream SELinux issue:
- https://github.com/fedora-selinux/selinux-policy/issues/2259

Pull request:
- https://github.com/fedora-selinux/selinux-policy/pull/2317

note: in pull-request review, it mentions the "allow l2tpd_t sysfs_t:file { open read };" line is not required because of the "dev_read_sysfs(l2tpd_t)" line, which is also the correct way to access types from other modules.


This issue is preventing Fedora 43 NetworkManager-l2tp users from establishing a L2TP connection.

In prior versions of Fedora, xl2tpd was used as the L2TP daemon, but that package has been orphaned.

With Fedora 43, kl2tpd is now used for the L2TP daemon, it is part of the go-l2tp package (i.e. golang-github-katalix-l2tp RPM).

Comment 4 Douglas Kosovic 2025-10-30 21:12:57 UTC

*** Bug 2406859 has been marked as a duplicate of this bug. ***

Comment 5 Maciej Mrozowski 2025-11-01 05:58:43 UTC

Is there some workaround?

Comment 6 Douglas Kosovic 2025-11-02 02:16:40 UTC

You could use the kl2tpd.te file posted to the upstream selinux-policy issue with the modification maksimsamt mentioned in a comment in that issue:
- https://github.com/fedora-selinux/selinux-policy/issues/2259

Then the next steps are:

1. compile the module:

checkmodule -M -m -o kl2tpd.mod kl2tpd.te


2. package the module:

semodule_package -o kl2tpd.pp -m kl2tpd.mod


3. install the module:

sudo semodule -i kl2tpd.pp

Note You need to log in before you can comment on or make changes to this bug.