On Tuesday 08 December 2009 08:32:24 pm Russell Coker wrote:
> ---------- Forwarded Message ----------
>
> Subject: selinux permissive blocking tun/tap device creation in v2.6.32
> Date: Wed, 9 Dec 2009
> From: Andrew Worsley <amworsley@xxxxxxxxx>
> To: luv-main@xxxxxxxxxx
>
> I upgraded to the v2.6.32 kernel and I found tunctl would fail with
> the ioctl TUNSETIFF rejected with an EINVAL. A real pain when running
> vpn and kvms which use these.
>
> I don't know where to go from this - so directions as to where to post
> / look would be appreciated but at least I can now create tap
> interfaces.
>
> I am looking for suggestions where I should post this to find a fix or
> other better work around than merely commenting out this code...
>
> Andrew
>
> I eventually traced this via recompiling the tun module with tracing
> to this code:
>
>
> printk(KERN_INFO "tun: tun_set_iff () 10\n");
> if (!capable(CAP_NET_ADMIN))
> return -EPERM;
> printk(KERN_INFO "tun: tun_set_iff () 11\n");
> #if 0
> err = security_tun_dev_create();
> if (err < 0)
> return err;
> #endif
>
> printk(KERN_INFO "tun: tun_set_iff () 12\n");
> /* Set dev type */
> if (ifr->ifr_flags & IFF_TUN) {
> /* TUN device */
>
> in drivers/net/tun.c (commenting out the above allows the tunctl
> command to work!)
I imagine this is because the original reporter is using a SELinux policy
without the new TUN socket classes/permissions (which is likely the common
case at this point). The unknown class/permission handling that Eric added
_should_ protect us from this - Russel do you have any more information about
the distribution and policy in use here?
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
