860087 – Update SELinux policies for pppd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 860087 - Update SELinux policies for pppd

Summary: Update SELinux policies for pppd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-24 22:35 UTC by Michal Bruncko
Modified:	2014-09-30 23:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-168.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 08:30:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Michal Bruncko 2012-09-24 22:35:04 UTC

Description of problem:
I am using RHEL as VPN server with IPSec+L2TP VPN. After connecting to VPN server the current selinux policy prevents pppd for accessing some needed components (see AVC messages below)

Version-Release number of selected component (if applicable):
- ipsec server - ipsec-tools-0.8.0-3.el6.x86_64
- l2tp demon - xl2tpd-1.3.1-4.el6.x86_64
- pppd - ppp-2.4.5-5.el6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=815128 - which enables pppol2tp module for pppd

How reproducible:
always in this scenario

Steps to Reproduce:
1.
2.
3.
  
Actual results:
type=SYSCALL msg=audit(1348163948.048:46): arch=c000003e syscall=44 success=yes exit=128 a0=6 a1=7fe6e7e63970 a2=80 a3=0 items=0 ppid=1 pid=1166 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="racoon" exe="/usr/sbin/racoon" subj=system_u:system_r:racoon_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:47): avc:  denied  { getattr } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:47): arch=c000003e syscall=51 success=yes exit=0 a0=8 a1=7ffffa9f5fb0 a2=7ffffa9f603c a3=1999999999999999 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:48): avc:  denied  { getopt } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:48): arch=c000003e syscall=55 success=yes exit=0 a0=8 a1=111 a2=1 a3=7ffffa9f6038 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:49): avc:  denied  { read } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1348163952.154:49): avc:  denied  { open } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:49): arch=c000003e syscall=2 success=yes exit=9 a0=7ff041279510 a1=0 a2=1b6 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:50): avc:  denied  { getattr } for  pid=2243 comm="pppd" path="/usr/share/radiusclient-ng/dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:50): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffffa9f5990 a2=7ffffa9f5990 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)

Expected results:
all pppd actions should be enabled by selinux policy

Comment 1 Michal Bruncko 2012-09-24 22:41:56 UTC

just additional information: pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket.
without this I was not able to create VPN connection.

thanks!

Comment 3 Michal Bruncko 2012-09-25 09:48:03 UTC

Just one thing: the reason why pppd is trying to access stuff of radiusclient (like dictionary) is because I am using pppd with radius.so plugin.

/etc/ppp/options.xl2tpd:
...
plugin radius.so
radius-config-file "/etc/radiusclient-ng/radiusclient.conf"
plugin radattr.so
...

Comment 4 Miroslav Grepl 2012-09-25 10:35:44 UTC

(In reply to comment #1)
> just additional information: pppd needs to be allowed also to "read" and
> "write" operations on l2tpd_t:socket.
> without this I was not able to create VPN connection.
> 
> thanks!

Ok. Thank you for testing.

Comment 5 Michal Bruncko 2012-10-04 08:32:18 UTC

probably it will be nice to use for this "pppd <--> l2tp ability" a new selinux boolean variable because this is specific pppd usage. but this is only my opinion.

Comment 7 Michal Bruncko 2012-10-10 19:37:45 UTC

tried latest version again from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ with following results:

[root@vpn01 ~]# rpm -ivhU selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


now I am unsure if there is sense for trying testing because I dont know if only one module failed or anything else.

Comment 8 Miroslav Grepl 2012-10-11 05:53:40 UTC

Milos,
are you also getting this issue?

Comment 9 Milos Malik 2012-10-11 07:12:44 UTC

Yes, I see it too.

# yum reinstall selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm 
Loaded plugins: product-id, refresh-packagekit, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Reinstall Process
Examining selinux-policy-3.7.19-168.el6.noarch.rpm: selinux-policy-3.7.19-168.el6.noarch
Examining selinux-policy-targeted-3.7.19-168.el6.noarch.rpm: selinux-policy-targeted-3.7.19-168.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-168.el6 will be reinstalled
---> Package selinux-policy-targeted.noarch 0:3.7.19-168.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package
     Arch   Version        Repository                                      Size
================================================================================
Reinstalling:
 selinux-policy
     noarch 3.7.19-168.el6 /selinux-policy-3.7.19-168.el6.noarch          8.7 M
 selinux-policy-targeted
     noarch 3.7.19-168.el6 /selinux-policy-targeted-3.7.19-168.el6.noarch 3.2 M

Transaction Summary
================================================================================
Reinstall     2 Package(s)

Total size: 12 M
Installed size: 12 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Installing : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Verifying  : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Verifying  : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 

Installed:
  selinux-policy.noarch 0:3.7.19-168.el6                                        
  selinux-policy-targeted.noarch 0:3.7.19-168.el6                               

Complete!
#

Comment 10 Miroslav Grepl 2012-10-11 12:12:57 UTC

I apologize. Should be fixed in selinux-policy-3.7.19-169.el6 which will be uploaded soon.

Thank you for testing.

Comment 11 Michal Bruncko 2012-10-11 12:28:04 UTC

ok, no problem. just one question. is anything else needed to override/disable local Selinux policy? how is possible to flush/clear it completely?

thanks

Comment 12 Miroslav Grepl 2012-10-11 15:10:07 UTC

Using semodule tool

# semodule -r mypol

Comment 13 Daniel Walsh 2012-10-11 15:59:31 UTC

selinux-policy-3.7.19-169.el6 is on people.redhat.com/dwalsh/SELinux/RHEL6

Comment 14 Michal Bruncko 2012-10-11 21:30:35 UTC

yes! its working now, confirming :) selinux update without issues, local policy removed (semodule -r local), enforcing mode enabled.
issue resolved, this bug could be closed now

Comment 18 errata-xmlrpc 2013-02-21 08:30:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.