Commits on Aug 21, 2024

1. Allow l2tpd_t access to netlink and sysfs …

   The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses
   netlink_generic_socket and sysfs.
   
   This change addresses the following AVC denials:
   
   type=AVC msg=audit(1721045130.932:277): avc:  denied  { read } for  pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
   type=AVC msg=audit(1721045130.932:278): avc:  denied  { open } for  pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
   type=AVC msg=audit(1721045130.942:279): avc:  denied  { create } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
   type=AVC msg=audit(1721045130.942:280): avc:  denied  { getopt } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
   type=AVC msg=audit(1721045130.942:281): avc:  denied  { bind } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
   type=AVC msg=audit(1721045130.942:282): avc:  denied  { getattr } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
   
   Resolves: fedora-selinux#2259

   

   tomparkin committed Aug 21, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 3f107f6
   • Browse repository at this point

   Copy the full SHA

   3f107f6 View commit details

   Browse the repository at this point in the history