Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-82780

l2tpd_var_run_t is not a valid type attribute

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • selinux-policy
    • None
    • No
    • None
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      There is no selinux type l2tpd_var_run_t in RHEL-9 anymore:

      # sesearch -s l2tpd_var_run_t -A
l2tpd_var_run_t is not a valid type attribute

      It was used for allowing ipsec_t in RHEL-9 as follows:

      # rpm -q selinux-policy
selinux-policy-38.1.53-2.el9.noarch

# sesearch -s ipsec_t -A | grep l2tp
allow ipsec_t l2tpd_t:fifo_file { append getattr ioctl lock open read write };
allow ipsec_t l2tpd_var_run_t:file { getattr ioctl lock open read };

      Even though RHEL (neither RHEL-9 nor RHEL-10) does not come with any l2tp servers (there is xl2tpd in EPEL for both 9 and 10) this feels like a regression when compared to RHEL-9.

      Is there some specific reason why l2tpd_var_run_t was dropped? There does not seem to be any other l2tp type replacing it.

      What is the impact of this issue to you?

      IKEv1 IPsec connections to L2TP server might not work.

      Please provide the package NVR for which the bug is seen:

      selinux-policy-40.13.26-1.el10.noarch

      Expected results

      # sesearch -s ipsec_t -A | grep l2tp
allow ipsec_t l2tpd_t:fifo_file { append getattr ioctl lock open read write };
allow ipsec_t l2tpd_var_run_t:file { getattr ioctl lock open read };

      Actual results

      # sesearch -s ipsec_t -A | grep l2tp
<nothing>

      Additional information

      Notice there is /selinux-policy/Regression/libreswan-and-similar test case in selinux-policy dist-git for this:

      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   bz#1607994
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/usr/libexec/ipsec/addconn	system_u:object_r:ipsec_exec_t:s0
:: [ 17:48:42 ] :: [   PASS   ] :: Result of matchpathcon /usr/libexec/ipsec/addconn should contain ipsec_exec_t (Assert: expected 0, got 0)
:: [ 17:48:42 ] :: [   INFO   ] :: rlSESearchRule: checking rule 'allow ipsec_t l2tpd_var_run_t : file { getattr open read ioctl } [ ]'
FILTERED RULES
l2tpd_var_run_t is not a valid type attribute
:: [ 17:48:42 ] :: [   FAIL   ] ::   check permission 'getattr' is present (Assert: '1' should equal '0')
:: [ 17:48:42 ] :: [   FAIL   ] ::   check permission 'open' is present (Assert: '1' should equal '0')
:: [ 17:48:42 ] :: [   FAIL   ] ::   check permission 'read' is present (Assert: '1' should equal '0')
:: [ 17:48:42 ] :: [   FAIL   ] ::   check permission 'ioctl' is present (Assert: '1' should equal '0')
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 1 good, 4 bad
::   RESULT: FAIL (bz#1607994)

      As this was addressed in the past in bz#1607994.

              rhn-support-zpytela Zdenek Pytela
              omoris Ondrej Moris
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: