[PATCH] lldpad_t tries to automatically disable LLDP on network card but is blocked

bmare <benjamin.mare@xxxxxx> · Thu, 13 Mar 2025 15:29:23 +0100

Dear maintainers,
    When running lldp daemon on a server, you can have the following
      error message:
    """

      
    i40e driver detected for ens10f1,
        disabling LLDP in firmware
    cannot open
        /sys/kernel/debug/i40e/0000:0f:00.1/command to disable LLDP in
        firmware for ens10f1: Permission Denied
    """

      
    In the selinux logs, you can see lldp is trying to open a
      specific file and write to it
    """

      
    avc:  denied  { write } for  pid=2264219
        comm="lldpd" name="command" dev="debugfs" ino=109

      
    avc:  denied  { open } for  pid=2264219
        comm="lldpd" path="/sys/kernel/debug/i40e/0000:0f:00.0/command"
    """
    > LLDP needs the following
        authorization: "allow lldpad_t debugfs_t:file { open write };"

      
    In fact, if you are trying to configure and run a local lldp
      daemon, you don't wan't the network card to run LLDP as well, both
      will conflicts, and lldp daemon is probably configured to give
      better informations for network administrators (hostname of the
      server for example). It could be a good idea to (optionally ?)
      allow lldp daemon to automatically unconfigure LLDP on network
      cards.
    I've tried to create a patch doing this (create a boolean, add
      permissions to read and write do debugfs files). It could be
      simplified to allow writing to debugfs without a boolean, but I
      feels like it could be a security issue and an optional boolean
      enabled only if needed is a better option.

    
    Because I'm not a developer at all, I wasn't able to fully test
      this, so I'm not 100% sure it working. If anyone is able to test
      everything compile correctly. I've prefered to share my work
      hopping someone could benefit this.

    
    Regards

    
    
      
        
          
                
            
            
              
                
                  
                    
                      
                        
                          
                            Benjamin
                              Mare
                          
                          
                            Ingénieur
                              Linux
                          
                          
                            
                              DRF/IRAMIS/DIR

                              Saclay - Bât 772 Pièce 127
                            
                          
                          
                            
                               
                          
                          
                            
                              (+33) 01 69 08 30 26

--- policy/modules/services/lldpad.te.old	2025-03-13 15:16:38.982728194 +0100
+++ policy/modules/services/lldpad.te.new	2025-03-13 15:17:03.111728930 +0100
@@ -4,6 +4,16 @@
 #
 # Declarations
 #
+## <desc>
+##      <p>
+##      Allow lldp daemonn to write
+##      to debugfs.
+##      Permit lldp to automatically
+##      disable LLDP on physical
+##      network card
+##      </p>
+## </desc>
+gen_tunable(allow_lldpad_write_debugfs, false)
 
 type lldpad_t;
 type lldpad_exec_t;
@@ -60,3 +70,8 @@
 optional_policy(`
 	fcoe_dgram_send_fcoemon(lldpad_t)
 ')
+
+tunable_policy(`allow_lldpad_write_debugfs',`
+        kernel_manage_debugfs(lldpad_t)
+')
+
Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature




