-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kl2tpd denials when running under NetworkManager-l2tp #2259
Comments
If there is justification, the best approach is to submit a PR with a brief explanation, reproducer, configuration change, denial, anything. At a first glance the policy looks reasonable. |
tomparkin
added a commit
to tomparkin/selinux-policy
that referenced
this issue
Aug 21, 2024
The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses netlink_generic_socket and sysfs. This change addresses the following AVC denials: type=AVC msg=audit(1721045130.932:277): avc: denied { read } for pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1721045130.932:278): avc: denied { open } for pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1721045130.942:279): avc: denied { create } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:280): avc: denied { getopt } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:281): avc: denied { bind } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:282): avc: denied { getattr } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 Resolves: fedora-selinux#2259
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using kl2tpd in conjunction with NetworkManager-l2tp to set up a VPN connection, kl2tpd is denied access to sysfs and netlink_generic_socket (sealert messages attached).
I was able to address this locally by installing this module:
I think the correct approach would be to add something equivalent to this into the l2tp.te in selinux-policy, but I wanted to check whether this was the best approach prior to attempting to make the change.
sealert.txt
The text was updated successfully, but these errors were encountered: