Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kl2tpd denials when running under NetworkManager-l2tp #2259

Open
tomparkin opened this issue Jul 24, 2024 · 1 comment · May be fixed by #2317
Open

kl2tpd denials when running under NetworkManager-l2tp #2259

tomparkin opened this issue Jul 24, 2024 · 1 comment · May be fixed by #2317

Comments

@tomparkin
Copy link

When using kl2tpd in conjunction with NetworkManager-l2tp to set up a VPN connection, kl2tpd is denied access to sysfs and netlink_generic_socket (sealert messages attached).

I was able to address this locally by installing this module:

vagrant@lac:~$ cat kl2tpd.te 

module kl2tpd 1.0;

require {
	type l2tpd_t;
	type sysfs_t;
	class file { open read };
	class netlink_generic_socket { bind create getattr getopt };
}

#============= l2tpd_t ==============
allow l2tpd_t self:netlink_generic_socket { bind create getattr getopt };
allow l2tpd_t sysfs_t:file { open read };

I think the correct approach would be to add something equivalent to this into the l2tp.te in selinux-policy, but I wanted to check whether this was the best approach prior to attempting to make the change.

sealert.txt
@zpytela
Copy link
Contributor

zpytela commented Aug 5, 2024

If there is justification, the best approach is to submit a PR with a brief explanation, reproducer, configuration change, denial, anything. At a first glance the policy looks reasonable.

tomparkin added a commit to tomparkin/selinux-policy that referenced this issue Aug 21, 2024
@tomparkin
Allow l2tpd_t access to netlink and sysfs
3f107f6 
The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses
netlink_generic_socket and sysfs.

This change addresses the following AVC denials:

type=AVC msg=audit(1721045130.932:277): avc:  denied  { read } for  pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.932:278): avc:  denied  { open } for  pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.942:279): avc:  denied  { create } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:280): avc:  denied  { getopt } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:281): avc:  denied  { bind } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:282): avc:  denied  { getattr } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1

Resolves: fedora-selinux#2259
@tomparkin tomparkin linked a pull request Aug 21, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow l2tpd_t access to netlink and sysfs tomparkin/selinux-policy
2 participants
@tomparkin @zpytela