Allow l2tpd_t access to netlink and sysfs

[tomparkin]

The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses netlink_generic_socket and sysfs.

This change addresses the following AVC denials:

type=AVC msg=audit(1721045130.932:277): avc: denied { read } for pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.932:278): avc: denied { open } for pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.942:279): avc: denied { create } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:280): avc: denied { getopt } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:281): avc: denied { bind } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:282): avc: denied { getattr } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1

Resolves: #2259

[zpytela]

If you know anything about the code changes, please add them to the commit message or add a link.

[zpytela]

This line is a subset of dev_read_sysfs() which actually is the correct way to access types from other modules.

[tomparkin]

Sorry, my mistake.

I thought the same from reading the macro definition for dev_read_sysfs(), but during development I found I needed the extra "allow" line otherwise I was still hitting some access denials.

However I think I must have gotten my packages mixed up in the test environment as I've just re-tested from scratch without the "allow" and and everything is working. I'll remove this extra line.

[tomparkin]

Thanks @zpytela for reviewing.

Regarding commit comments, what sort of extra detail would be appropriate?

I tried to mirror the commit comment style in the git log, and the github issue has extra context. Should I add information about kl2tpd requirements, etc?

[dkosovic]

Regarding commit comments, what sort of extra detail would be appropriate?

I tried to mirror the commit comment style in the git log, and the github issue has extra context. Should I add information about kl2tpd requirements, etc?

I wonder if @zpytela is referring to adding a higher-level background to the commit message as to why this pull request is required, e.g.:

The go-l2tp kl2tpd daemon is in the golang-github-katalix-l2tp RPM which was first introduced with Fedora 41:

• https://src.fedoraproject.org/rpms/golang-github-katalix-l2tp

NetworkManager-l2tp version 1.20.0 and later use kl2tpd as the preferred L2TP daemon if installed,
otherwise will fallback to using xl2tpd :

• https://github.com/nm-l2tp/NetworkManager-l2tp/releases/tag/1.20.0

Newer NetworkManager-l2tp RPMs will have the xl2tpd requires dependency changed to (go-l2tp or xl2tpd)
to ensure kl2tpd gets installed by default, but still allow xl2tpd.