libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.i686 time: Sun 24 Jun 2012 06:55:48 PM MSK description: :SELinux is preventing xl2tpd from 'execute' accesses on the file /usr/libexec/pt_chown. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that xl2tpd should be allowed execute access on the pt_chown file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep xl2tpd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:l2tpd_t:s0 :Target Context system_u:object_r:ptchown_exec_t:s0 :Target Objects /usr/libexec/pt_chown [ file ] :Source xl2tpd :Source Path xl2tpd :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages glibc-common-2.15-37.fc17.i686 :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.i686 #1 : SMP Mon May 7 17:45:26 UTC 2012 i686 i686 :Alert Count 2 :First Seen Sun 24 Jun 2012 06:49:08 PM MSK :Last Seen Sun 24 Jun 2012 06:49:39 PM MSK :Local ID f734c8bc-fefc-43ce-ab5d-4367137c3851 : :Raw Audit Messages :type=AVC msg=audit(1340549379.808:306): avc: denied { execute } for pid=14701 comm="xl2tpd" name="pt_chown" dev="dm-1" ino=143612 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ptchown_exec_t:s0 tclass=file : : :Hash: xl2tpd,l2tpd_t,ptchown_exec_t,file,execute : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Paul does this make sense to you? pt_chown is only called if devpts devices are created with the wrong ownership/permissions.
It's coming in through xl2tpd's pty.c: /* change the onwership */ if (grantpt(fd)) { l2tp_log (LOG_WARNING, "%s: unable to grantpt() on pty\n", __FUNCTION__); close(fd); return -EINVAL; } I'm not sure why this is needed, as the pppd's run as root since there are no other system users. It does set the gid to "tty", but I don't that really matters. I tested xl2tpd with the above code section removed, and the IPsec/L2TP tunnel worked fine. So I think this is mostly historic and can be removed.
xl2tpd and pppd works as root.
I would just make sure that pty is not too looses, IE Can a general user access the PTY.
crw--w----. 1 root tty 136, 1 Jun 26 21:45 /dev/pts/1 Seems fine to me?
Then it looks good.
xl2tpd-1.3.1-9.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-9.fc17
Package xl2tpd-1.3.1-9.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xl2tpd-1.3.1-9.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10527/xl2tpd-1.3.1-9.fc17 then log in and leave karma (feedback).
xl2tpd-1.3.1-9.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
xl2tpd-1.3.1-5.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/xl2tpd-1.3.1-5.el6