Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 860087

Summary: Update SELinux policies for pppd
Product: Red Hat Enterprise Linux 6 Reporter: Michal Bruncko <michal.bruncko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, ebenes, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-168.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:30:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Bruncko 2012-09-24 22:35:04 UTC 
Description of problem:
I am using RHEL as VPN server with IPSec+L2TP VPN. After connecting to VPN server the current selinux policy prevents pppd for accessing some needed components (see AVC messages below)

Version-Release number of selected component (if applicable):
- ipsec server - ipsec-tools-0.8.0-3.el6.x86_64
- l2tp demon - xl2tpd-1.3.1-4.el6.x86_64
- pppd - ppp-2.4.5-5.el6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=815128 - which enables pppol2tp module for pppd

How reproducible:
always in this scenario

Steps to Reproduce:
1.
2.
3.
  
Actual results:
type=SYSCALL msg=audit(1348163948.048:46): arch=c000003e syscall=44 success=yes exit=128 a0=6 a1=7fe6e7e63970 a2=80 a3=0 items=0 ppid=1 pid=1166 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="racoon" exe="/usr/sbin/racoon" subj=system_u:system_r:racoon_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:47): avc:  denied  { getattr } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:47): arch=c000003e syscall=51 success=yes exit=0 a0=8 a1=7ffffa9f5fb0 a2=7ffffa9f603c a3=1999999999999999 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163950.118:48): avc:  denied  { getopt } for  pid=2243 comm="pppd" scontext=unconfined_u:system_r:pppd_t:s0 tcontext=unconfined_u:system_r:l2tpd_t:s0 tclass=socket
type=SYSCALL msg=audit(1348163950.118:48): arch=c000003e syscall=55 success=yes exit=0 a0=8 a1=111 a2=1 a3=7ffffa9f6038 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:49): avc:  denied  { read } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1348163952.154:49): avc:  denied  { open } for  pid=2243 comm="pppd" name="dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:49): arch=c000003e syscall=2 success=yes exit=9 a0=7ff041279510 a1=0 a2=1b6 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)
type=AVC msg=audit(1348163952.154:50): avc:  denied  { getattr } for  pid=2243 comm="pppd" path="/usr/share/radiusclient-ng/dictionary" dev=dm-1 ino=27491 scontext=unconfined_u:system_r:pppd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1348163952.154:50): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffffa9f5990 a2=7ffffa9f5990 a3=0 items=0 ppid=2027 pid=2243 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pppd" exe="/usr/sbin/pppd" subj=unconfined_u:system_r:pppd_t:s0 key=(null)

Expected results:
all pppd actions should be enabled by selinux policy
Comment 1 Michal Bruncko 2012-09-24 22:41:56 UTC 
just additional information: pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket.
without this I was not able to create VPN connection.

thanks!
Comment 3 Michal Bruncko 2012-09-25 09:48:03 UTC 
Just one thing: the reason why pppd is trying to access stuff of radiusclient (like dictionary) is because I am using pppd with radius.so plugin.

/etc/ppp/options.xl2tpd:
...
plugin radius.so
radius-config-file "/etc/radiusclient-ng/radiusclient.conf"
plugin radattr.so
...
Comment 4 Miroslav Grepl 2012-09-25 10:35:44 UTC 
(In reply to comment #1)
> just additional information: pppd needs to be allowed also to "read" and
> "write" operations on l2tpd_t:socket.
> without this I was not able to create VPN connection.
> 
> thanks!

Ok. Thank you for testing.
Comment 5 Michal Bruncko 2012-10-04 08:32:18 UTC 
probably it will be nice to use for this "pppd <--> l2tp ability" a new selinux boolean variable because this is specific pppd usage. but this is only my opinion.
Comment 7 Michal Bruncko 2012-10-10 19:37:45 UTC 
tried latest version again from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ with following results:

[root@vpn01 ~]# rpm -ivhU selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


now I am unsure if there is sense for trying testing because I dont know if only one module failed or anything else.
Comment 8 Miroslav Grepl 2012-10-11 05:53:40 UTC 
Milos,
are you also getting this issue?
Comment 9 Milos Malik 2012-10-11 07:12:44 UTC 
Yes, I see it too.

# yum reinstall selinux-policy-3.7.19-168.el6.noarch.rpm selinux-policy-targeted-3.7.19-168.el6.noarch.rpm 
Loaded plugins: product-id, refresh-packagekit, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Reinstall Process
Examining selinux-policy-3.7.19-168.el6.noarch.rpm: selinux-policy-3.7.19-168.el6.noarch
Examining selinux-policy-targeted-3.7.19-168.el6.noarch.rpm: selinux-policy-targeted-3.7.19-168.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-168.el6 will be reinstalled
---> Package selinux-policy-targeted.noarch 0:3.7.19-168.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package
     Arch   Version        Repository                                      Size
================================================================================
Reinstalling:
 selinux-policy
     noarch 3.7.19-168.el6 /selinux-policy-3.7.19-168.el6.noarch          8.7 M
 selinux-policy-targeted
     noarch 3.7.19-168.el6 /selinux-policy-targeted-3.7.19-168.el6.noarch 3.2 M

Transaction Summary
================================================================================
Reinstall     2 Package(s)

Total size: 12 M
Installed size: 12 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Installing : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 
libsepol.scope_copy_callback: passenger: Duplicate declaration in module: type/attribute passenger_tmp_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Verifying  : selinux-policy-3.7.19-168.el6.noarch                         1/2 
  Verifying  : selinux-policy-targeted-3.7.19-168.el6.noarch                2/2 

Installed:
  selinux-policy.noarch 0:3.7.19-168.el6                                        
  selinux-policy-targeted.noarch 0:3.7.19-168.el6                               

Complete!
#
Comment 10 Miroslav Grepl 2012-10-11 12:12:57 UTC 
I apologize. Should be fixed in selinux-policy-3.7.19-169.el6 which will be uploaded soon.

Thank you for testing.
Comment 11 Michal Bruncko 2012-10-11 12:28:04 UTC 
ok, no problem. just one question. is anything else needed to override/disable local Selinux policy? how is possible to flush/clear it completely?

thanks
Comment 12 Miroslav Grepl 2012-10-11 15:10:07 UTC 
Using semodule tool

# semodule -r mypol
Comment 13 Daniel Walsh 2012-10-11 15:59:31 UTC 
selinux-policy-3.7.19-169.el6 is on people.redhat.com/dwalsh/SELinux/RHEL6
Comment 14 Michal Bruncko 2012-10-11 21:30:35 UTC 
yes! its working now, confirming :) selinux update without issues, local policy removed (semodule -r local), enforcing mode enabled.
issue resolved, this bug could be closed now
Comment 18 errata-xmlrpc 2013-02-21 08:30:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html