Bug 860087 - Update SELinux policies for pppd
Update SELinux policies for pppd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-24 18:35 EDT by Michal Bruncko
Modified: 2014-09-30 19:33 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-168.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:30:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Bruncko 2012-09-24 18:35:04 EDT
Description of problem:
I am using RHEL as VPN server with IPSec+L2TP VPN. After connecting to VPN server the current selinux policy prevents pppd for accessing some needed components (see AVC messages below)

Version-Release number of selected component (if applicable):
- ipsec server - ipsec-tools-0.8.0-3.el6.x86_64
- l2tp demon - xl2tpd-1.3.1-4.el6.x86_64
- pppd - ppp-2.4.5-5.el6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=815128 - which enables pppol2tp module for pppd

How reproducible:
always in this scenario

Steps to Reproduce:
1.
2.
3.
  
Actual results:
type=SYSCALL msg=audit(1348163948.048:46): arch=c000003e syscall=44 success=yes exit=128 a0=6 a1=7fe6e7e63970 a2=80 a3=0 items=0 ppid=1 pid=1166 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="racoon" exe="/usr/sbin/racoon" subj=system_u:system_r:racoon_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:47): avc:  denied  { getattr } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:47): arch=c000003e syscall=51 success=yes exit=0 a0=8 a1=7ffffa9f5fb0 a2=7ffffa9f603c a3=1999999999999999 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:48): avc:  denied  { getopt } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:48): arch=c000003e syscall=55 success=yes exit=0 a0=8 a1=111 a2=1 a3=7ffffa9f6038 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:49): avc:  denied  { read } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1348163952.154:49): avc:  denied  { open } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:49): arch=c000003e syscall=2 success=yes exit=9 a0=7ff041279510 a1=0 a2=1b6 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:50): avc:  denied  { getattr } for  pid=2243 comm="pppd" path="/usr/share/radiusclient-ng/dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:50): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffffa9f5990 a2=7ffffa9f5990 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)

Expected results:
all pppd actions should be enabled by selinux policy
Comment 1 Michal Bruncko 2012-09-24 18:41:56 EDT
just additional information: pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket.
without this I was not able to create VPN connection.

thanks!
Comment 3 Michal Bruncko 2012-09-25 05:48:03 EDT
Just one thing: the reason why pppd is trying to access stuff of radiusclient (like dictionary) is because I am using pppd with radius.so plugin.

/etc/ppp/options.xl2tpd:
...
plugin radius.so
radius-config-file "/etc/radiusclient-ng/radiusclient.conf"
plugin radattr.so
...
Comment 4 Miroslav Grepl 2012-09-25 06:35:44 EDT
(In reply to comment #1)
> just additional information: pppd needs to be allowed also to "read" and
> "write" operations on l2tpd_t:socket.
> without this I was not able to create VPN connection.
> 
> thanks!

Ok. Thank you for testing.
Comment 5 Michal Bruncko 2012-10-04 04:32:18 EDT
probably it will be nice to use for this "pppd <--> l2tp ability" a new selinux boolean variable because this is specific pppd usage. but this is only my opinion.
Comment 7 Michal Bruncko 2012-10-10 15:37:45 EDT
tried latest version again from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ with following results:

[root@vpn01 ~]# rpm -ivhU selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


now I am unsure if there is sense for trying testing because I dont know if only one module failed or anything else.
Comment 8 Miroslav Grepl 2012-10-11 01:53:40 EDT
Milos,
are you also getting this issue?
Comment 9 Milos Malik 2012-10-11 03:12:44 EDT
Yes, I see it too.

# yum reinstall selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm 
Loaded plugins: product-id, refresh-packagekit, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Reinstall Process
Examining selinux-policy-3.7.19-168.el6.noarch.rpm: selinux-policy-3.7.19-168.el6.noarch
Examining selinux-policy-targeted-3.7.19-168.el6.noarch.rpm: selinux-policy-targeted-3.7.19-168.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-168.el6 will be reinstalled
---> Package selinux-policy-targeted.noarch 0:3.7.19-168.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package
     Arch   Version        Repository                                      Size
================================================================================
Reinstalling:
 selinux-policy
     noarch 3.7.19-168.el6 /selinux-policy-3.7.19-168.el6.noarch          8.7 M
 selinux-policy-targeted
     noarch 3.7.19-168.el6 /selinux-policy-targeted-3.7.19-168.el6.noarch 3.2 M

Transaction Summary
================================================================================
Reinstall     2 Package(s)

Total size: 12 M
Installed size: 12 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Installing : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Verifying  : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Verifying  : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 

Installed:
  selinux-policy.noarch 0:3.7.19-168.el6                                        
  selinux-policy-targeted.noarch 0:3.7.19-168.el6                               

Complete!
#
Comment 10 Miroslav Grepl 2012-10-11 08:12:57 EDT
I apologize. Should be fixed in selinux-policy-3.7.19-169.el6 which will be uploaded soon.

Thank you for testing.
Comment 11 Michal Bruncko 2012-10-11 08:28:04 EDT
ok, no problem. just one question. is anything else needed to override/disable local Selinux policy? how is possible to flush/clear it completely?

thanks
Comment 12 Miroslav Grepl 2012-10-11 11:10:07 EDT
Using semodule tool

# semodule -r mypol
Comment 13 Daniel Walsh 2012-10-11 11:59:31 EDT
selinux-policy-3.7.19-169.el6 is on people.redhat.com/dwalsh/SELinux/RHEL6
Comment 14 Michal Bruncko 2012-10-11 17:30:35 EDT
yes! its working now, confirming :) selinux update without issues, local policy removed (semodule -r local), enforcing mode enabled.
issue resolved, this bug could be closed now
Comment 18 errata-xmlrpc 2013-02-21 03:30:46 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.