-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow l2tpd_t access to netlink and sysfs #2317
base: rawhide
Are you sure you want to change the base?
Conversation
The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses netlink_generic_socket and sysfs. This change addresses the following AVC denials: type=AVC msg=audit(1721045130.932:277): avc: denied { read } for pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1721045130.932:278): avc: denied { open } for pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1721045130.942:279): avc: denied { create } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:280): avc: denied { getopt } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:281): avc: denied { bind } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1721045130.942:282): avc: denied { getattr } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1 Resolves: fedora-selinux#2259
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you know anything about the code changes, please add them to the commit message or add a link.
allow l2tpd_t self:rawip_socket create_socket_perms; | ||
allow l2tpd_t self:socket create_socket_perms; | ||
allow l2tpd_t self:tcp_socket { accept listen }; | ||
allow l2tpd_t self:unix_dgram_socket sendto; | ||
allow l2tpd_t self:unix_stream_socket { accept listen }; | ||
allow l2tpd_t self:pppox_socket create_socket_perms; | ||
allow l2tpd_t sysfs_t:file { open read }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is a subset of dev_read_sysfs() which actually is the correct way to access types from other modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, my mistake.
I thought the same from reading the macro definition for dev_read_sysfs(), but during development I found I needed the extra "allow" line otherwise I was still hitting some access denials.
However I think I must have gotten my packages mixed up in the test environment as I've just re-tested from scratch without the "allow" and and everything is working. I'll remove this extra line.
Thanks @zpytela for reviewing. Regarding commit comments, what sort of extra detail would be appropriate? I tried to mirror the commit comment style in the git log, and the github issue has extra context. Should I add information about kl2tpd requirements, etc? |
I wonder if @zpytela is referring to adding a higher-level background to the commit message as to why this pull request is required, e.g.: The go-l2tp kl2tpd daemon is in the NetworkManager-l2tp version 1.20.0 and later use Newer NetworkManager-l2tp RPMs will have the |
The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses netlink_generic_socket and sysfs.
This change addresses the following AVC denials:
type=AVC msg=audit(1721045130.932:277): avc: denied { read } for pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.932:278): avc: denied { open } for pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.942:279): avc: denied { create } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:280): avc: denied { getopt } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:281): avc: denied { bind } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:282): avc: denied { getattr } for pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
Resolves: #2259