Re: [PATCH] lldpad_t tries to automatically disable LLDP on network card but is blocked

Chris PeBenito <pebenito@xxxxxxxx> · Thu, 13 Mar 2025 11:32:57 -0400

On 3/13/2025 10:29 AM, bmare wrote:
When running lldp daemon on a server, you can have the following error 
message:

"""

i40e driver detected for ens10f1, disabling LLDP in firmware

cannot open /sys/kernel/debug/i40e/0000:0f:00.1/command to disable LLDP 
in firmware for ens10f1: Permission Denied

"""

In the selinux logs, you can see lldp is trying to open a specific file 
and write to it

"""

avc:  denied  { write } for  pid=2264219 comm="lldpd" name="command" 
dev="debugfs" ino=109

avc:  denied  { open } for  pid=2264219 comm="lldpd" path="/sys/kernel/ 
debug/i40e/0000:0f:00.0/command"

"""

 > LLDP needs the following authorization: "allow lldpad_t 
debugfs_t:file { open write };"

In fact, if you are trying to configure and run a local lldp daemon, you 
don't wan't the network card to run LLDP as well, both will conflicts, 
and lldp daemon is probably configured to give better informations for 
network administrators (hostname of the server for example). It could be 
a good idea to (optionally ?) allow lldp daemon to automatically 
unconfigure LLDP on network cards.

I've tried to create a patch doing this (create a boolean, add 
permissions to read and write do debugfs files). It could be simplified 
to allow writing to debugfs without a boolean, but I feels like it could 
be a security issue and an optional boolean enabled only if needed is a 
better option.

I definitely agree that the debugfs use is problematic and we would want 
this to be conditional in the policy.

The fact that there is no standard interface for doing this, such as in 
sysfs, seems like an issue in the driver(s) too.  Configuring a device 
shouldn't go through debugfs AFAIK.

--- policy/modules/services/lldpad.te.old	2025-03-13 15:16:38.982728194 +0100
+++ policy/modules/services/lldpad.te.new	2025-03-13 15:17:03.111728930 +0100
@@ -4,6 +4,16 @@
 #
 # Declarations
 #
+## <desc>
+##      <p>
+##      Allow lldp daemonn to write
+##      to debugfs.
+##      Permit lldp to automatically
+##      disable LLDP on physical
+##      network card
+##      </p>
+## </desc>
+gen_tunable(allow_lldpad_write_debugfs, false)
 
 type lldpad_t;
 type lldpad_exec_t;
@@ -60,3 +70,8 @@
 optional_policy(`
 	fcoe_dgram_send_fcoemon(lldpad_t)
 ')
+
+tunable_policy(`allow_lldpad_write_debugfs',`
+        kernel_manage_debugfs(lldpad_t)

Based on the logs you provided, this is excessive access, so I'd make a 
new kernel_write_debugfs() interface with only write access.


--
Chris PeBenito







