VPN connection fails due to SELinux. How to add local policy?
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2017
    Location
    USA
    Posts
    6

    VPN connection fails due to SELinux. How to add local policy?

    Unable to connect with PPPoL2TP with SELinux enforced. Works in permissive. Upgraded to ppp-2.4.7-21.fc28 because of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=156445

    Version 2.4.7-21 fixes the original issue, but now I have another problem It's a bug, fair enough. The challenge is how to add a local SELinux policy allowing this?

    Here's the log:
    april 09 18:46:17 fedora28 pppd[4915]: Plugin pppol2tp.so loaded.
    april 09 18:46:17 fedora28 pppd[4915]: Given FD for PPPoL2TP socket invalid (Socket operation on non-socket)
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: child_handler : pppd exited for call 37794 with code 1
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: call_close: Call 18324 to 217.170.203.128 disconnected
    april 09 18:46:17 fedora28 pppd[4915]: Exit.
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:17 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:20 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:30 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: death_handler: Fatal signal 15 received
    april 09 18:46:30 fedora28 NetworkManager[945]: xl2tpd[4914]: Connection 21741 closed to 217.170.203.128, port 1701 (Server closing)

    Found the following in ausearch:

    type=AVC msg=audit(1523314447.297:358): avc: denied { getattr } for pid=6450 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
    type=AVC msg=audit(1523314447.297:359): avc: denied { getopt } for pid=6450 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
    type=AVC msg=audit(1523314447.318:360): avc: denied { ioctl } for pid=6450 comm="pppd" path="socket:[77543]" dev="sockfs" ino=77543 ioctlcmd=0x7437 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1

    I made various attempts of adding a local policy, but I'm no expert on SELinux and I was not able to make it work.

    Any suggestions?

  2. #2
    Join Date
    Jan 2010
    Posts
    7,365

    Re: VPN connection fails due to SELinux. How to add local policy?


  3. #3
    Join Date
    Feb 2017
    Location
    USA
    Posts
    6

    Re: VPN connection fails due to SELinux. How to add local policy?

    Thanks but audit2allow is what I've been trying to use. ausearch lists a ton of stuff, how do I know exactly which lines causing this issue? (I just pulled some of the ones mentioning PPP).

  4. #4
    Join Date
    Oct 2006
    Location
    CN99CF Agassiz BC Canada
    Posts
    401

    Re: VPN connection fails due to SELinux. How to add local policy?

    I'd suggest using the SELinux Alert browser to notify you on which of the alerts you should concentrate. The SETrouubleshoot Details Window analyzes the alert that caused the issue and shows you how to use ausearch and semodule to create a local policy file to allow the condition to be allowed in enforcing mode.

    Getting the SELinux Alert browser running is described in wiki referenced above.
    -----
    f26 x86_64 Acer Predator G5910 Quad core Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz

  5. #5
    Join Date
    Apr 2018
    Location
    Worcester, Massachusetts, USA
    Posts
    3

    Re: VPN connection fails due to SELinux. How to add local policy?

    I just had a somewhat similar issue where NetworkManager was having trouble starting a ppp connection--fwiw I gave pppd permission over pppox_socket (for create, connect, ioctl) to resolve.

    USE AT OWN RISK

    local-ppp.te (see man audit2why for compilation, usage, etc.)
    Code:
    module local-ppp 1.0;
    
    require {
    	type pppd_t;
    	class pppox_socket { connect create ioctl }; # PERHAPS NEED getattr getopt IN YOUR CASE (?)
    }
    
    allow pppd_t self:pppox_socket { connect create ioctl }; # SAME AS ABOVE RE: gettattr getopt (?)
    Quote Originally Posted by erikindre
    Unable to connect with PPPoL2TP with SELinux enforced. Works in permissive. Upgraded to ppp-2.4.7-21.fc28 because of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=156445

    Version 2.4.7-21 fixes the original issue, but now I have another problem It's a bug, fair enough. The challenge is how to add a local SELinux policy allowing this?

    Here's the log:
    april 09 18:46:17 fedora28 pppd[4915]: Plugin pppol2tp.so loaded.
    april 09 18:46:17 fedora28 pppd[4915]: Given FD for PPPoL2TP socket invalid (Socket operation on non-socket)
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: child_handler : pppd exited for call 37794 with code 1
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: call_close: Call 18324 to 217.170.203.128 disconnected
    april 09 18:46:17 fedora28 pppd[4915]: Exit.
    april 09 18:46:17 fedora28 NetworkManager[945]: xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:17 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:20 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: get_call: can't find call 18324 in tunnel 28266
    april 09 18:46:30 fedora28 NetworkManager[945]: (ref=0/0)xl2tpd[4914]: death_handler: Fatal signal 15 received
    april 09 18:46:30 fedora28 NetworkManager[945]: xl2tpd[4914]: Connection 21741 closed to 217.170.203.128, port 1701 (Server closing)

    Found the following in ausearch:

    type=AVC msg=audit(1523314447.297:358): avc: denied { getattr } for pid=6450 comm="pppd" scontext=system_u:system_rppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
    type=AVC msg=audit(1523314447.297:359): avc: denied { getopt } for pid=6450 comm="pppd" scontext=system_u:system_rppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1
    type=AVC msg=audit(1523314447.318:360): avc: denied { ioctl } for pid=6450 comm="pppd" path="socket:[77543]" dev="sockfs" ino=77543 ioctlcmd=0x7437 scontext=system_u:system_rppd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=pppox_socket permissive=1

    I made various attempts of adding a local policy, but I'm no expert on SELinux and I was not able to make it work.

    Any suggestions?

  6. #6
    Join Date
    Feb 2017
    Location
    USA
    Posts
    6

    Re: VPN connection fails due to SELinux. How to add local policy?

    Quote Originally Posted by jims
    I'd suggest using the SELinux Alert browser to notify you on which of the alerts you should concentrate. The SETrouubleshoot Details Window analyzes the alert that caused the issue and shows you how to use ausearch and semodule to create a local policy file to allow the condition to be allowed in enforcing mode.

    Getting the SELinux Alert browser running is described in wiki referenced above.
    It is running, but SELinux alert browser for some reason does not give an alert for all issues. There are no alerts for this one.

  7. #7
    Join Date
    Apr 2018
    Location
    Worcester, Massachusetts, USA
    Posts
    3

    Re: VPN connection fails due to SELinux. How to add local policy?

    Maybe copy out of /var/log/audit/audit.log and run the more recent lines through audit2why? I'd go look at timestamps; if you start trying to connect now and fail, I'd look at the messages only from around that time.

    The denial messages contain timestamps (for simplest case example you could manually look back through /var/log/audit/audit.log for "denied" messages and parse them yourself e.g. (msg=audit(1523314447.297:359) contains a timestamp 1523314447 so running e.g. `date -d@1523314447` here returns localtime "Mon Apr 9 18:54:07 EDT 2018".

    As the others stated there are various tools to help parse but it's not that difficult to look back yourself either if you're having trouble with them.

  8. #8
    Join Date
    Apr 2018
    Location
    Worcester, Massachusetts, USA
    Posts
    3

    Re: VPN connection fails due to SELinux. How to add local policy?

    On April 16, a potential bugfix has been posted selinux-policy-3.14.1-21.fc28 https://koji.fedoraproject.org/koji/...uildID=1071065 and/or https://bodhi.fedoraproject.org/upda...018-1148ada2a3

    The changelog includes
    • Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)
    • Allow pppd_t domain creating pppox sockets BZ(1566271)
    • Allow systemd_networkd_t to read/write tun tap devices
    • etc.


    Perhaps this might include the fix?

Similar Threads

  1. SELinux Ref-Policy source fails to compile
    By borgy95 in forum Programming & Packaging
    Replies: 0
    Last Post: 20th June 2016, 09:45 AM
  2. Replies: 4
    Last Post: 26th December 2015, 06:21 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •