Skip to content

Commit

Permalink
Allow l2tpd_t access to netlink and sysfs
Browse files Browse the repository at this point in the history 
The go-l2tp kl2tpd daemon used by NetworkManager-l2tp uses
netlink_generic_socket and sysfs.

This change addresses the following AVC denials:

type=AVC msg=audit(1721045130.932:277): avc:  denied  { read } for  pid=3560 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.932:278): avc:  denied  { open } for  pid=3560 comm="kl2tpd" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=1261 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721045130.942:279): avc:  denied  { create } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:280): avc:  denied  { getopt } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:281): avc:  denied  { bind } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1721045130.942:282): avc:  denied  { getattr } for  pid=3560 comm="kl2tpd" scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=netlink_generic_socket permissive=1

Resolves: fedora-selinux#2259
  • Loading branch information
@tomparkin
tomparkin committed Aug 21, 2024
1 parent 137c143 commit 3f107f6
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions policy/modules/contrib/l2tp.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,14 @@ allow l2tpd_t self:capability net_admin;
allow l2tpd_t self:process signal_perms;
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:netlink_generic_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
allow l2tpd_t self:socket create_socket_perms;
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
allow l2tpd_t self:pppox_socket create_socket_perms;
allow l2tpd_t sysfs_t:file { open read };

read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)

Expand Down Expand Up @@ -77,6 +79,7 @@ kernel_request_load_module(l2tpd_t)
corecmd_exec_bin(l2tpd_t)

dev_read_urand(l2tpd_t)
dev_read_sysfs(l2tpd_t)

term_setattr_generic_ptys(l2tpd_t)
term_use_generic_ptys(l2tpd_t)
Expand Down

0 comments on commit 3f107f6

Please sign in to comment.