Description of problem: When SELinux is enabled, xl2tpd fails to run due to insufficient privileges. It appears there is no SELinux policy shipped with xl2tpd. Version-Release number of selected component (if applicable): xl2tpd-1.3.1-1.fc16.x86_64 How reproducible: Always Steps to Reproduce: 1. Start xl2tpd 2. Try to set up a tunnel Actual results: Fails (initially even fails to start up daemon), logs in /var/log/audit/audit.log and /var/log/messages about SELinux blockage. Expected results: A ppp0 interface. Additional info:
The following policy seems to get xl2tpd into something like a working state (it then fails to start pppd due to lack of legacy PTYs in the kernel): -- module mypol 1.0; require { type l2tpd_t; type ptmx_t; type unreserved_port_t; type var_run_t; class file { read unlink }; class chr_file { read write ioctl open }; class udp_socket name_bind; } #============= l2tpd_t ============== allow l2tpd_t ptmx_t:chr_file { read write ioctl open }; allow l2tpd_t unreserved_port_t:udp_socket name_bind; allow l2tpd_t var_run_t:file { read unlink }; --
Scratch that last bit about the kernel. It complains about the legacy PTYs because it is falling back to them. In other words, it cannot open a PTY through the regular interface. Definitely SELinux-related, since it works fine if I turn off SELinux completely. No idea what policy lines are needed here, though.
(In reply to comment #0) I have almost exactly the same problem - xl2tpd-1.3.1-1.fc16.i686 Similar setup in Fedora 8 works without problem. Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: Connection established to 192.168.0.98, 1701. Local: 32045, Remote: 1 (ref=0/0). LNS session is 'default' Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_ptmx: unable to open /dev/ptmx to allocate pty Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster: failed to use pts -- using legacy ptys Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: getPtyMaster_pty: No more free pseudo-tty's Jan 24 20:20:35 p320g--f16 xl2tpd[7002]: start_pppd: unable to allocate pty, abandoning! > Description of problem: > > When SELinux is enabled, xl2tpd fails to run due to insufficient privileges. It > appears there is no SELinux policy shipped with xl2tpd. > > Version-Release number of selected component (if applicable): > > xl2tpd-1.3.1-1.fc16.x86_64 > > How reproducible: > > Always > > Steps to Reproduce: > 1. Start xl2tpd > 2. Try to set up a tunnel > > Actual results: > > Fails (initially even fails to start up daemon), logs in > /var/log/audit/audit.log and /var/log/messages about SELinux blockage. > > Expected results: > > A ppp0 interface. > > Additional info:
note there is a policy in fedora, but not in rhel6
Then please open a new bug for RHEL6.
dwalsh: has the xl2tpd policy update made it to rhel/epel yet?
Not in RHEL, did you open a bug requesting it?
I did now, and added selinux policy patches. See: https://bugzilla.redhat.com/show_bug.cgi?id=833557
closing bug as the policy is there now in Fedora