Description of problem: I am using RHEL as VPN server with IPSec+L2TP VPN. After connecting to VPN server the current selinux policy prevents pppd for accessing some needed components (see AVC messages below) Version-Release number of selected component (if applicable): - ipsec server - ipsec-tools-0.8.0-3.el6.x86_64 - l2tp demon - xl2tpd-1.3.1-4.el6.x86_64 - pppd - ppp-2.4.5-5.el6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=815128 - which enables pppol2tp module for pppd How reproducible: always in this scenario Steps to Reproduce: 1. 2. 3. Actual results: type=SYSCALL msg=audit(1348163948.048:46): arch=c000003e syscall=44 success=yes exit=128 a0=6 a1=7fe6e7e63970 a2=80 a3=0 items=0 ppid=1 pid=1166 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="racoon" exe="/usr/sbin/racoon" subj=system_u:system_r:racoon_t:s0 key=(null) type=AVC msg=audit(1348163950.118:47): avc: denied { getattr } for pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket type=SYSCALL msg=audit(1348163950.118:47): arch=c000003e syscall=51 success=yes exit=0 a0=8 a1=7ffffa9f5fb0 a2=7ffffa9f603c a3=1999999999999999 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null) type=AVC msg=audit(1348163950.118:48): avc: denied { getopt } for pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket type=SYSCALL msg=audit(1348163950.118:48): arch=c000003e syscall=55 success=yes exit=0 a0=8 a1=111 a2=1 a3=7ffffa9f6038 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null) type=AVC msg=audit(1348163952.154:49): avc: denied { read } for pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1348163952.154:49): avc: denied { open } for pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1348163952.154:49): arch=c000003e syscall=2 success=yes exit=9 a0=7ff041279510 a1=0 a2=1b6 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null) type=AVC msg=audit(1348163952.154:50): avc: denied { getattr } for pid=2243 comm="pppd" path="/usr/share/radiusclient-ng/dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1348163952.154:50): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffffa9f5990 a2=7ffffa9f5990 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null) Expected results: all pppd actions should be enabled by selinux policy
just additional information: pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket. without this I was not able to create VPN connection. thanks!
Just one thing: the reason why pppd is trying to access stuff of radiusclient (like dictionary) is because I am using pppd with radius.so plugin. /etc/ppp/options.xl2tpd: ... plugin radius.so radius-config-file "/etc/radiusclient-ng/radiusclient.conf" plugin radattr.so ...
(In reply to comment #1) > just additional information: pppd needs to be allowed also to "read" and > "write" operations on l2tpd_t:socket. > without this I was not able to create VPN connection. > > thanks! Ok. Thank you for testing.
probably it will be nice to use for this "pppd <--> l2tp ability" a new selinux boolean variable because this is specific pppd usage. but this is only my opinion.
tried latest version again from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ with following results: [root@vpn01 ~]# rpm -ivhU selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-targeted########################################### [100%] libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! now I am unsure if there is sense for trying testing because I dont know if only one module failed or anything else.
Milos, are you also getting this issue?
Yes, I see it too. # yum reinstall selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm Loaded plugins: product-id, refresh-packagekit, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Reinstall Process Examining selinux-policy-3.7.19-168.el6.noarch.rpm: selinux-policy-3.7.19-168.el6.noarch Examining selinux-policy-targeted-3.7.19-168.el6.noarch.rpm: selinux-policy-targeted-3.7.19-168.el6.noarch Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.7.19-168.el6 will be reinstalled ---> Package selinux-policy-targeted.noarch 0:3.7.19-168.el6 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: selinux-policy noarch 3.7.19-168.el6 /selinux-policy-3.7.19-168.el6.noarch 8.7 M selinux-policy-targeted noarch 3.7.19-168.el6 /selinux-policy-targeted-3.7.19-168.el6.noarch 3.2 M Transaction Summary ================================================================================ Reinstall 2 Package(s) Total size: 12 M Installed size: 12 M Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-3.7.19-168.el6.noarch 1/2 Installing : selinux-policy-targeted-3.7.19-168.el6.noarch 2/2 libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : selinux-policy-3.7.19-168.el6.noarch 1/2 Verifying : selinux-policy-targeted-3.7.19-168.el6.noarch 2/2 Installed: selinux-policy.noarch 0:3.7.19-168.el6 selinux-policy-targeted.noarch 0:3.7.19-168.el6 Complete! #
I apologize. Should be fixed in selinux-policy-3.7.19-169.el6 which will be uploaded soon. Thank you for testing.
ok, no problem. just one question. is anything else needed to override/disable local Selinux policy? how is possible to flush/clear it completely? thanks
Using semodule tool # semodule -r mypol
selinux-policy-3.7.19-169.el6 is on people.redhat.com/dwalsh/SELinux/RHEL6
yes! its working now, confirming :) selinux update without issues, local policy removed (semodule -r local), enforcing mode enabled. issue resolved, this bug could be closed now
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html