Bug 832149 - SELinux is preventing /usr/sbin/xl2tpd from 'execute' accesses on the file /usr/bin/kmod.
SELinux is preventing /usr/sbin/xl2tpd from 'execute' accesses on the file /u...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: xl2tpd (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
abrt_hash:ae8bc9582787b9abd8454615ebe...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-14 12:35 EDT by ZetaFunction
Modified: 2012-09-18 14:43 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-21 18:49:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
log/messages (3.05 KB, text/plain)
2012-06-14 18:38 EDT, ZetaFunction
no flags Details

  None (edit)
Description ZetaFunction 2012-06-14 12:35:09 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.0-1.fc17.x86_64
time:           Thu 14 Jun 2012 07:50:55 PM MSK

description:
:SELinux is preventing /usr/sbin/xl2tpd from 'execute' accesses on the file /usr/bin/kmod.
:
:*****  Plugin leaks (86.2 confidence) suggests  ******************************
:
:If you want to ignore xl2tpd trying to execute access the kmod file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/sbin/xl2tpd /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (14.7 confidence) suggests  ***************************
:
:If you believe that xl2tpd should be allowed execute access on the kmod file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:l2tpd_t:s0
:Target Context                system_u:object_r:insmod_exec_t:s0
:Target Objects                /usr/bin/kmod [ file ]
:Source                        xl2tpd
:Source Path                   /usr/sbin/xl2tpd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           xl2tpd-1.3.1-5.fc17.x86_64
:Target RPM Packages           kmod-7-2.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
:                              06:35:17 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Thu 14 Jun 2012 07:46:28 PM MSK
:Last Seen                     Thu 14 Jun 2012 07:46:28 PM MSK
:Local ID                      80c96280-7c22-401a-aaa1-2f60c1c56d66
:
:Raw Audit Messages
:type=AVC msg=audit(1339688788.85:58): avc:  denied  { execute } for  pid=1435 comm="xl2tpd" name="kmod" dev="sda7" ino=9671 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1339688788.85:58): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff97078774 a1=7fff97078870 a2=7fff9707ad60 a3=20 items=0 ppid=1433 pid=1435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xl2tpd exe=/usr/sbin/xl2tpd subj=system_u:system_r:l2tpd_t:s0 key=(null)
:
:Hash: xl2tpd,l2tpd_t,insmod_exec_t,file,execute
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-06-14 15:33:37 EDT
Any idea what xl2tpd is trying to do with kmod?  Is it trying to load a kernel module?
Comment 2 ZetaFunction 2012-06-14 18:38:02 EDT
Created attachment 591941 [details]
log/messages
Comment 3 ZetaFunction 2012-06-14 18:39:51 EDT
(In reply to comment #1)
> Any idea what xl2tpd is trying to do with kmod?  Is it trying to load a
> kernel module?

yes.
Comment 4 Daniel Walsh 2012-06-14 18:48:32 EDT
Paul is this required?  Any other way to do this? 

Not crazy about letting daemons load kernel modules.
Comment 5 Paul Wouters 2012-06-15 12:15:46 EDT
Yeah, it is trying to modprobe l2tp_ppp and pppol2tp

I didn't much like that either. How about if I move it to the initscript?
Comment 6 Daniel Walsh 2012-06-15 15:47:26 EDT
That would be awesome.
Comment 7 Paul Wouters 2012-06-15 16:33:04 EDT
Please test the package from rawhide which should address this issue.

http://koji.fedoraproject.org/koji/buildinfo?buildID=324655
Comment 8 ZetaFunction 2012-06-15 17:04:51 EDT
Thanks a lot! no error occurred.
Comment 9 Paul Wouters 2012-06-15 18:13:24 EDT
Is it using kernel mode? You can test by sending LOTS of traffic and check if xl2tpd is using up any cpu or not. There should also be some messages about using kernel mode in the logs
Comment 10 ZetaFunction 2012-06-16 07:03:23 EDT
hmm.. I didn't have these modules.
 FATAL: Module l2tp_ppp not found.
 FATAL: Module pppol2tp not found.

xl2tpd[22057]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)

where to get the modules?
Comment 11 Paul Wouters 2012-06-18 10:27:06 EDT
The module l2tp_ppp should be in any kernel from about 2.6.21 up or so?
The pppol2tp module name was used before it was merged into the mainline kernel tree.

On fedora, this module is in:

/lib/modules/3.3.4-1.fc16.x86_64/kernel/net/l2tp/l2tp_ppp.ko

on rhel/epel, this module is in:

/lib/modules/2.6.32-220.17.1.el6.x86_64/kernel/drivers/net/pppol2tp.ko
Comment 12 ZetaFunction 2012-06-18 15:09:07 EDT
/ lib/modules/3.4.2-4.fc17.x86_64/Linux/net/l2tp / - This folder is empty. This is strange..
Comment 13 ZetaFunction 2012-06-18 17:35:44 EDT
"/lib/modules/3.4.2-4.fc17.x86_64/kernel/net/l2tp/" *
Comment 14 ManFree 2012-06-24 08:19:41 EDT
service xl2tpd start
Redirecting to /bin/systemctl  start xl2tpd.service
Job failed. See system journal and 'systemctl status' for details.

/var/log/messages:
Jun 24 20:17:59 localhost systemd[1]: Cannot add dependency job for unit openswan.service, ignoring: Unit openswan.service failed to load: No such file or directory. See system logs and 'systemctl status openswan.service' for details.
Jun 24 20:17:59 localhost systemd[1]: xl2tpd.service: control process exited, code=exited status=1
Jun 24 20:17:59 localhost systemd[1]: Unit xl2tpd.service entered failed state.
Comment 15 ManFree 2012-06-24 08:27:01 EDT
It's bad idea to use openswan with xl2tpd. Russian VPN L2TP often don't need IPSec.
Comment 16 ManFree 2012-06-24 09:36:47 EDT
It's necessary to add in xl2tpd.spec:
Requires: kernel-modules-extra.
Comment 17 Paul Wouters 2012-06-25 10:10:37 EDT
I will remove the broken dep on openswan.service (should have been ipsec.service but you are right some people use it without openswan)

I don't see any kernel-modules-extra package in Fedora or RHEL/EPEL ?
Comment 18 Eric Paris 2012-06-25 10:51:06 EDT
kernel-modules-extra is in F17 and F18.  Don't know if it is a subpackage in 16...

You won't find it in RHEL.
Comment 19 ManFree 2012-06-25 12:39:44 EDT
l2tp_ppp, pppol2tp modules are in kernel-modules-extra in F17 and higher. That's why xl2tpd wants kernel-modules-extra and doesn't work without l2tp_ppp, pppol2tp modules.
Comment 20 ZetaFunction 2012-06-25 16:01:43 EDT
Nothing is clear. I have installed the kernel-modules-extra package, but the modules l2tp_ppp and pppol2tp is not found in those directories. How to enable these modules?
Comment 21 Paul Wouters 2012-06-25 23:55:28 EDT
I've build 1.3.1-8 in rawhide that addresses these issues


http://koji.fedoraproject.org/koji/taskinfo?taskID=4195424


ZetaFunction: for me, the l2tp_ppp module is part of kernel-modules-extra on F17 and rawhide. The pppol2tp is the old name, and we only try to load that one if we don't find l2tp_ppp
Comment 22 ManFree 2012-06-26 00:34:02 EDT
It's bad idea to move l2tp_ppp/pppol2tp into kernel-modules-extra, because l2tp_ppp/pppol2tp modules are base for Internet, that's why l2tp_ppp/pppol2tp must be in distribution by default.
Comment 23 ManFree 2012-06-26 00:41:47 EDT
(In reply to comment #20)
> Nothing is clear. I have installed the kernel-modules-extra package, but the
> modules l2tp_ppp and pppol2tp is not found in those directories. How to
> enable these modules?

I only restarted system. But I believe that xl2tpd from ZetaFunction did not find l2tp_ppp/pppol2tp, because It's difficult to instal kernel-modules-extra with version of kernel. No problem to install any version of kernel-modules-extra, but it's will not work, because user must install identical version. It's big problem.
Comment 24 Fedora Update System 2012-07-10 17:27:42 EDT
xl2tpd-1.3.1-9.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-9.fc17
Comment 25 Fedora Update System 2012-07-10 17:30:00 EDT
xl2tpd-1.3.1-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-7.fc16
Comment 26 ManFree 2012-07-11 05:30:54 EDT
Don't work.
/etc/rc.d/init.d/xl2tpd - no such file or directory.
Comment 27 Fedora Update System 2012-07-11 19:51:34 EDT
Package xl2tpd-1.3.1-9.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xl2tpd-1.3.1-9.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10527/xl2tpd-1.3.1-9.fc17
then log in and leave karma (feedback).
Comment 28 ManFree 2012-07-12 00:46:08 EDT
In spec: Requires: ppp >= 2.4.5-18, kernel-modules-extra
Where are kernel-PAE-modules-extra etc.?
Comment 29 Fedora Update System 2012-07-21 18:49:56 EDT
xl2tpd-1.3.1-9.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2012-07-21 18:53:21 EDT
xl2tpd-1.3.1-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2012-09-18 14:43:59 EDT
xl2tpd-1.3.1-5.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-5.el6

Note You need to log in before you can comment on or make changes to this bug.