Trying VPN connection (l2tp) and SELinux is getting in the way

Fedora 43/Plasma with latest updates

SELinux whines with:

avc: denied { dac_override } for pid=564504 comm="nm-l2tp-service" capability=1 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=capability permissive=0

Now, it this supposed to block? And I should manually allow it as described by SELinux?

`If you believe that nm-l2tp-service should have the dac_override capability by default.`
`Then you should report this as a bug.`
`You can generate a local policy module to allow this access.`
`Do`
`allow this access for now by executing:`
`# ausearch -c 'nm-l2tp-service' --raw | audit2allow -M my-nml2tpservice`
`# semodule -X 300 -i my-nml2tpservice.pp`

And if I’m supposed to report a bug, where would be the correct place?

Normally if you use a official package to install, it should have the SELinux part updating automatically.

Do you have the instructions you followed?

What instructions do you mean? It’s all out of the box Fedora. I just went and added a l2tp VPN from network menu.

Ah ok.

Try to rewrite the SELinux rules.
You changed something and SELinux not got this information.

I guess you need to relable:

man fixfiles >> see Examples

Alternative info: No Internet-DNS after start - #2 by vgaetera

dac_override provides the ability to bypass standard UNIX file permissions. DAC is short for Discretionary Access Control. I have no idea why it is happening for you or seen this issue before.

You could try the following to see what file nm-l2tp-service was trying to access:

ausearch -m avc -ts recent

Maybe then fix the Unix file permissions on that file/folder.

The NetworkManager-l2tp package doesn’t come with any SELinux files or subpackages, the package to report SELinux bugs against is the selinux-policy package on Fedora Bugzilla (bugzilla.redhat.com). But having said that, as I haven’t seen others report this issue yet, I suspect it is your local Unix file permissions that are causing the issue.

Hi,

Well, it happens on both my fedora/plasma computers for some reason.

Here is what ausearch -m avc -ts recent yields:

type=AVC msg=audit(1771236519.437:399): avc: denied { dac_override } for pid=30492 comm="nm-l2tp-service" capability=1 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:system_r:l2tpd_t:s0 tclass=capability permissive=0

Can you figure out what it is? Perhaps is some setting of my VPN that is causing this?

I wonder whether it has something to do with the certificate I import. If I go with password then I don’t see the SELinux error, though it doesn’t work at the end (because I need to auth via a certificate).

Just a random idea, maybe place the certificate in one of the pre-configured paths for this programs policy and tag it with the l2tp_conf_t SELinux type selinux-policy/policy/modules/contrib/l2tp.fc at 08735516ec1c70d4a1de713c6af4b7c7de0de20b · fedora-selinux/selinux-policy · GitHub

The dac_override failure makes me think that process under user A tries to read file from user B.

I generally also rely on the output of audit2allow -a to understand better the issues, instead of the audit log.

I’ve put the certificate in my home, chmod ME:root ugo+r, chcon -t l2tp_conf_t mycert.p12 and result of audit2allow -a is

#============= container_t ============== 
 
#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access. 
#Constraint rule:  
#       mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED 
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED 
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-)  and (l2 eq h2)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED 
mlsconstrain file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED 
 
#       Possible cause is the source level (s0:c572,c849) and target level (s0:c524,c939) are different. 
allow container_t container_file_t:file read; 
allow container_t user_home_t:file read; 
 
#============= gnome_atspi_t ============== 
allow gnome_atspi_t gconf_home_t:dir search; 
allow gnome_atspi_t self:capability { dac_override dac_read_search }; 
allow gnome_atspi_t session_dbusd_tmp_t:sock_file write; 
 
#============= l2tpd_t ============== 
allow l2tpd_t self:capability dac_override; 
allow l2tpd_t user_tmp_t:file open; 
 
#============= switcheroo_control_t ============== 
allow switcheroo_control_t self:capability sys_admin; 
 
#============= systemd_machined_t ============== 
 
#!!!! This avc is allowed in the current policy 
allow systemd_machined_t svirt_t:dir search; 
 
#============= unconfined_t ============== 
allow unconfined_t l2tpd_t:file relabelto; 
 
#============= virtnodedevd_t ============== 
allow virtnodedevd_t self:capability { dac_override dac_read_search }; 
 
#============= virtstoraged_t ============== 
allow virtstoraged_t self:capability fowner; 
allow virtstoraged_t user_home_t:dir setattr;

Please click first on the preformed </> text button and paste the output. This way it displays in the black output window and is also good readable when someone is using the dark theme.

I almost need sun glasses to read such topics

I know it is not really your fault .. it is the new rich-text-editor which is default. You might click on the right top A-button to change in between them.

Uh, sorry about that, didn’t realize that the order matters. Fixed.

I would probably switch SELinux to permissive, run the application as normal and collect all the rules given for l2tp by audit2allow and create a custom te file (maybe ausearch has an option to filter things out, I’d manually copy paste those and ask an LLM for instructions).

With that sorted out, I would also open a bug report with the rules you had to apply. On GitHub it seems that rules for l2tp have been last changed 2 and 6 years ago. Maybe software has changed and this feature/plugin is not as popular to be caught until now?

I think the certificate issue is related to CVE-2025-9615, which allowed non-admin users to access other users’ certificates.

NetworkManager-l2tp 1.52.0 was released last month (and is in Fedora Updates) which in combination with NetworkManager 1.52.2, 1.54.3 or 1.56.0 and later is supposed to fix CVE-2025-9615.

There is a bit more info here:

NetworkManager-l2tp 1.52.0 now uses the nm_utils_copy_cert_as_user() function to copy the corresponding certificate file as the user to temp location /run/NetworkManager/cert/. More info on that function here:

So, I think this SElinux certificate issue was introduced with NetworkManager-l2tp 1.52.0. There aren’t that many L2TP users using a machine certificate as there are using a PSK, so this issue went unnoticed for the past month, plus it didn’t help that there was a kl2tpd SELinux issue (that was only fixed last month in the selinux-policy package) that many Fedora 43 L2TP users disabled SELinux or changed to permissive. note: kl2tpd is the new L2TP daemon used by Fedora 43’s NeworkManger-l2tp.

audit2why might offer some insight.

However, I can’t say it’s ever been a huge help to me, but it does turn the terse output of the audit log into something slightly more palatable.

What do you suggest to do? Report the bug? And if yes, where to? Over here - GitHub - nm-l2tp/NetworkManager-l2tp: L2TP and L2TP/IPsec support for NetworkManager ? Or is this more a fedora/selinux issue?

I get a whole heap of nm-libnm-helper AVC denied errors before the { dac_override } for nm-l2tp-service, when I tried with a dummy machine certificate :

AVC avc:  denied  { setgid } comm="nm-libnm-helper" ...
AVC avc:  denied  { read } comm="nm-libnm-helper" ...
AVC avc:  denied  { write } comm="nm-libnm-helper" ...
AVC avc:  denied  { connectto } comm="nm-libnm-helper" ...
AVC avc:  denied  { search } comm="nm-libnm-helper" ...
AVC avc:  denied  { setuid } comm="nm-libnm-helper" ...
AVC avc:  denied  { open } comm="nm-libnm-helper" ...
AVC avc:  denied  { dac_override } comm="nm-l2tp-service"

I suspect nm-libnm-helper is being used to copy the certificate to /run/NetworkManager/cert/ as the user, as part of the fix for CVE-2025-9615.

I’m the upstream NetworkManager-l2tp maintainer and I would have received the bug report had you posted to the GitHub nm-l2tp issues page. I disable or set SELinux to permissive as it gets in the way while developing code, so don’t really deal with SELinux issues much. Also, there is no NetworkManager-l2tp-selinux RPM as SELinux for L2TP is taken care of by the selinux-policy RPM.

It would be best to file a Fedora bug on bugzilla.redhat.com/ and select selinux-policy as the component.

Alternatively, open an issue of the Fedora SELinux policy issues page, github.com/fedora-selinux/selinux-policy

Filled a bug on bugzilla.