1906278 – [OVS IPsec] Permission denied: '/etc/ipsec.conf' with SELinux is Enforcing

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1906278 - [OVS IPsec] Permission denied: '/etc/ipsec.conf' with SELinux is Enforcing

Summary: [OVS IPsec] Permission denied: '/etc/ipsec.conf' with SELinux is Enforcing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	FDP 20.I
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	qding
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1915531
TreeView+	depends on / blocked

Reported:	2020-12-10 06:13 UTC by qding
Modified:	2021-02-03 21:22 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1915531 (view as bug list)
Environment:
Last Closed:	2021-02-03 21:22:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (55.70 KB, text/plain) 2020-12-16 12:45 UTC, qding	no flags	Details
audit log for rhel7 (81.16 KB, text/plain) 2020-12-18 03:56 UTC, qding	no flags	Details
audit log for permissive (75.59 KB, text/plain) 2021-01-14 05:46 UTC, qding	no flags	Details
audit log for self signed certificate (141.53 KB, text/plain) 2021-01-15 08:47 UTC, qding	no flags	Details
audit log for CA signed certificate (140.76 KB, text/plain) 2021-01-15 08:48 UTC, qding	no flags	Details
audit_self_signed_1.log (43.69 KB, text/plain) 2021-01-18 08:12 UTC, qding	no flags	Details
audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp (88.39 KB, text/plain) 2021-01-19 02:55 UTC, qding	no flags	Details
audit log for CA signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp (71.51 KB, text/plain) 2021-01-19 02:56 UTC, qding	no flags	Details
audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-27.el8fdp (110.03 KB, text/plain) 2021-01-20 02:40 UTC, qding	no flags	Details
audit log for 27 with permissive (65.80 KB, text/plain) 2021-01-20 02:51 UTC, qding	no flags	Details
ovs-monitor-ipsec.log (65.59 KB, text/plain) 2021-01-22 01:43 UTC, qding	no flags	Details
Audit logs for AVC when running ovs-appctl (3.31 KB, application/gzip) 2021-01-28 23:01 UTC, Mark Gray	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:0405	0	None	None	None	2021-02-03 21:22:30 UTC

Description qding 2020-12-10 06:13:06 UTC

Description of problem:

[root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec
Job for openvswitch-ipsec.service failed because the control process exited with error code.
See "systemctl status openvswitch-ipsec.service" and "journalctl -xe" for details.
[root@dell-per730-04 ~]# journalctl -xe
-- 
-- The unit openvswitch-ipsec.service has entered the 'failed' state with result 'exit-code'.
Dec 10 01:03:08 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start OVS IPsec daemon.
-- Subject: Unit openvswitch-ipsec.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit openvswitch-ipsec.service has failed.
-- 
-- The result is failed.
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Starting OVS IPsec daemon...
-- Subject: Unit openvswitch-ipsec.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit openvswitch-ipsec.service has begun starting up.
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: 2020-12-10T06:03:12Z |  0  | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system.
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[28626]: ovs|  0  | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system.
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: 2020-12-10T06:03:12Z |  1  | ovs-monitor-ipsec | ERR | traceback
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: Traceback (most recent call last):
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1237, in <module>
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:     main()
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1184, in main
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:     monitor = IPsecMonitor(root_prefix, args.ike_daemon)
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 952, in __init__
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:     self.ike_helper.restart_ike_daemon()
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:   File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]:     f = open(self.IPSEC_CONF, "w")
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf'
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[28626]: ovs|  1  | ovs-monitor-ipsec | ERR | traceback
                                                                                Traceback (most recent call last):
                                                                                  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1237, in <module>
                                                                                    main()
                                                                                  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1184, in main
                                                                                    monitor = IPsecMonitor(root_prefix, args.ike_daemon)
                                                                                  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 952, in __init__
                                                                                    self.ike_helper.restart_ike_daemon()
                                                                                  File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon
                                                                                    f = open(self.IPSEC_CONF, "w")
                                                                                PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf'
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Control process exited, code=exited status=1
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- The unit openvswitch-ipsec.service has entered the 'failed' state with result 'exit-code'.
Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start OVS IPsec daemon.
-- Subject: Unit openvswitch-ipsec.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit openvswitch-ipsec.service has failed.
-- 
-- The result is failed.
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# getenforce 
Enforcing
[root@dell-per730-04 ~]# setenforce 0
[root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec
[root@dell-per730-04 ~]# 





Version-Release number of selected component (if applicable):

[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
[root@dell-per730-04 ~]# 



How reproducible: always


Steps to Reproduce:
1. systemctl start openvswitch-ipsec
2.
3.

Actual results:

openvswitch-ipsec service fails

Expected results:
openvswitch-ipsec service starts successfully

Additional info:
The package is not for FDP20.I, but I cannot find more suitable one.

Comment 1 Aaron Conole 2020-12-15 21:32:54 UTC

Please include:

1. ls -laZ /etc/ipsec.conf
2. ps aux | grep ovs
3. /var/log/audit/audit.log

Comment 2 Timothy Redaelli 2020-12-15 22:00:51 UTC

Reassigning to openvswitch-selinux-extra-policy

Comment 3 qding 2020-12-16 12:45:32 UTC

Created attachment 1739625 [details]
audit.log

(In reply to Aaron Conole from comment #1)
> Please include:
> 
> 1. ls -laZ /etc/ipsec.conf

[root@dell-per730-05 ~]# ls -laZ /etc/ipsec.conf
-rw-r--r--. 1 root root system_u:object_r:ipsec_conf_file_t:s0 1557 Nov  3 09:54 /etc/ipsec.conf

> 2. ps aux | grep ovs

[root@dell-per730-05 ~]# ps aux | grep ovs
openvsw+   20078  0.0  0.0  77044  7728 ?        S<s  07:40   0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
openvsw+   20137  0.0  0.1  92644 51504 ?        S<Ls 07:40   0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
root       20173  0.0  0.0  12108  1068 pts/0    S+   07:42   0:00 grep --color=auto ovs
[root@dell-per730-05 ~]# 

> 3. /var/log/audit/audit.log
Please see the attachment audit.log

Comment 4 qding 2020-12-18 03:56:08 UTC

Created attachment 1740111 [details]
audit log for rhel7

Package for RHEL7 has the same issue when SELinux is Enforcing. 

[root@dell-per730-04 ~]# uname -r
3.10.0-1160.11.1.el7.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ls -laZ /etc/ipsec.conf
-rw-r--r--. root root system_u:object_r:ipsec_conf_file_t:s0 /etc/ipsec.conf
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]#  ps aux | grep ovs
openvsw+ 10534  0.0  0.0  60064  2780 ?        S<s  22:46   0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
openvsw+ 10591  0.0  0.0  62572 15384 ?        S<Ls 22:46   0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
root     11278  0.0  0.0 132120 11048 ?        Ss   22:47   0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock
root     11279  0.0  0.0 132120 12264 ?        S    22:47   0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock
root     11303  0.0  0.0 112812   964 pts/0    S+   22:54   0:00 grep --color=auto ovs
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]#

Comment 5 Aaron Conole 2021-01-12 23:56:04 UTC

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34228760

Comment 12 qding 2021-01-14 05:46:05 UTC

Created attachment 1747309 [details]
audit log for permissive

Steps to setup as below. Please see the audit_permissive.log

[root@dell-per730-04 ~]# nmcli dev set eno1np0 managed no
[root@dell-per730-04 ~]# ip add add 192.168.123.1/24 dev eno1np0
[root@dell-per730-04 ~]# systemctl restart openvswitch
[root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec
[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123
ovs-vsctl: no bridge named ovsbr0
[root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0
[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123
[root@dell-per730-04 ~]# ip link set ovsbr0 up
[root@dell-per730-04 ~]# ip add add 172.16.30.1/24 dev ovsbr0
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ip add l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff
    inet 10.73.88.41/23 brd 10.73.89.255 scope global dynamic noprefixroute eno1
       valid_lft 42450sec preferred_lft 42450sec
    inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global dynamic noprefixroute 
       valid_lft 2591901sec preferred_lft 604701sec
    inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff
4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff
5: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff
6: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff
7: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff
8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 scope global eno1np0
       valid_lft forever preferred_lft forever
9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff
10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether b6:62:d2:aa:84:60 brd ff:ff:ff:ff:ff:ff
12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 0a:e7:01:12:50:4d brd ff:ff:ff:ff:ff:ff
    inet 172.16.30.1/24 scope global ovsbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::8e7:1ff:fe12:504d/64 scope link 
       valid_lft forever preferred_lft forever
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc fq_codel master ovs-system state UNKNOWN group default qlen 1000
    link/ether b6:7d:6b:a4:1c:fe brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b47d:6bff:fea4:1cfe/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]# cat /etc/ipsec.conf 
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-1
    left=192.168.123.1
    right=192.168.123.2
    authby=secret
    leftprotoport=gre
    rightprotoport=gre

[root@dell-per730-04 ~]# ovs-vsctl show
3f83e055-0f31-4935-b05e-ba82261dd80c
    Bridge ovsbr0
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port tun123
            Interface tun123
                type: gre
                options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"}
    ovs_version: "2.13.2"
[root@dell-per730-04 ~]#

Comment 13 Aaron Conole 2021-01-14 16:31:14 UTC

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34275641

Comment 14 qding 2021-01-15 08:47:24 UTC

Created attachment 1747702 [details]
audit log for self signed certificate

Comment 15 qding 2021-01-15 08:48:12 UTC

Created attachment 1747703 [details]
audit log for CA signed certificate

Comment 19 Aaron Conole 2021-01-15 19:25:39 UTC

Latest build:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34299607

It will resolve all but one class of AVCs.  The class to which I'm 
refering:

type=AVC msg=audit(1610697438.686:243): avc: denied { read } for
pid=24057 comm="openssl" name="h1-cert.pem" dev="dm-0" ino=134568189
scontext=system_u:system_r:openvswitch_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
permissive=1

This AVC is stating that you want the policy to allow openvswitch_t to
read /root but we don't give such access to the openvswitch_t domain.
Can you update your steps to include placing the psk into /tmp or
somewhere that would be a more likely production location?  I think 
it's inappropriate for /root to be accessible to the openvswitch 
domain.

Comment 20 qding 2021-01-18 08:12:04 UTC

Created attachment 1748383 [details]
audit_self_signed_1.log

With openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch, self-signed certificate and CA-signed mode still don't work. Please see the attached log for self-signed certificate mode and the trace below.

[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:57:15.955803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 25011, offset 0, flags [DF], proto GRE (47), length 122)
    192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102
	26:57:a3:07:c3:46 > 62:0c:8d:ca:2a:41, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 56144, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.123.1 > 172.16.123.2: ICMP echo request, id 44620, seq 7, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]# 
[root@dell-per730-04 ipsec]# setenforce permissive
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:57:50.771791 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 42000, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x4), length 136
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]# setenforce enforcing
[root@dell-per730-04 ipsec]# getenforce 
Enforcing
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:59:21.907810 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 28057, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x62), length 136
1 packet captured
1 packet received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]#

Comment 21 qding 2021-01-18 08:34:48 UTC

For self-signed certificate mode, after setenforce to permissive ESP can be tcpdumped, but for CA-signed certificate, systemctl restart openvswitch-ipsec is needed before ESP can be seen. Please see the trace below.

[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:31:03.731803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 47503, offset 0, flags [DF], proto GRE (47), length 122)
    192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102
	72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 11072, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 12, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# setenforce permissive
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:31:23.187763 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 58636, offset 0, flags [DF], proto GRE (47), length 122)
    192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102
	72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 18912, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 31, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:32:03.123771 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 11364, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0x9), length 136
03:32:03.123973 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 40643, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0x9), length 136
03:32:04.147794 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 12291, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0xa), length 136
03:32:04.147945 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 41139, offset 0, flags [DF], proto ESP (50), length 156)
    192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0xa), length 136
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]#

Comment 23 qding 2021-01-19 02:55:17 UTC

Created attachment 1748615 [details]
audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp

Comment 24 qding 2021-01-19 02:56:00 UTC

Created attachment 1748616 [details]
audit log for CA signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp

Comment 28 qding 2021-01-20 02:40:22 UTC

Created attachment 1748913 [details]
audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-27.el8fdp

(In reply to Aaron Conole from comment #27)
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34369487
> 
> This build should resolve the perf_event issue.

The build still has issue. Please see the attached audit_27.log. Thanks.

Comment 29 qding 2021-01-20 02:51:00 UTC

Created attachment 1748921 [details]
audit log for 27 with permissive

The attachment in comment#28 is for selinux enforcing. This one is for selinux permissive. Thanks.

[root@dell-per730-04 ipsec]# rpm -qa | grep selin
selinux-policy-targeted-3.14.3-60.el8.noarch
libselinux-2.9-5.el8.x86_64
selinux-policy-3.14.3-60.el8.noarch
python3-libselinux-2.9-5.el8.x86_64
libselinux-utils-2.9-5.el8.x86_64
openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch
rpm-plugin-selinux-4.14.3-4.el8.x86_64
[root@dell-per730-04 ipsec]# 
[root@dell-per730-04 ipsec]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch
openvswitch2.13-2.13.0-79.el8fdp.x86_64
kernel-kernel-networking-openvswitch-ipsec-1.0-7.noarch
[root@dell-per730-04 ipsec]# 
[root@dell-per730-04 ipsec]# uname -a
Linux dell-per730-04.rhts.eng.pek2.redhat.com 4.18.0-275.el8.x86_64 #1 SMP Sat Jan 16 07:11:30 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@dell-per730-04 ipsec]#

Comment 30 qding 2021-01-20 05:13:39 UTC

With selinux Enforcing, RHEL-8.3.0-updates-20201210.2 doesn't work for self-signed and CA-signed certificate modes either.

[root@dell-per730-04 ipsec]# uname -r
4.18.0-240.8.1.el8_3.x86_64

Comment 31 qding 2021-01-20 08:48:29 UTC

With selinux Enforcing, RHEL-8.3.0 doesn't work for self-signed and CA-signed certificate modes either.

[root@dell-per730-04 ~]# rpm -qa | grep selinux
selinux-policy-3.14.3-54.el8.noarch
libselinux-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.3-4.el8.x86_64
selinux-policy-targeted-3.14.3-54.el8.noarch
python3-libselinux-2.9-3.el8.x86_64
openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch
[root@dell-per730-04 ~]# uname -r
4.18.0-240.el8.x86_64
[root@dell-per730-04 ~]#

Comment 32 Aaron Conole 2021-01-20 13:32:45 UTC

The only selinux issue is:

05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8} ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC /tmp/mozilla_aconole0/audit_27_permissive.log 
type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

No other AVCs logged, and that is a user-emitted AVC.

What errors are you getting now?

Comment 33 qding 2021-01-21 10:53:41 UTC

(In reply to Aaron Conole from comment #32)
> The only selinux issue is:
> 
> 05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8}
> ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC
> /tmp/mozilla_aconole0/audit_27_permissive.log 
> type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  received setenforce notice (enforcing=0) 
> exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus"
> AUID="unset" SAUID="dbus"
> 
> No other AVCs logged, and that is a user-emitted AVC.
> 
> What errors are you getting now?

With SELinux Enforcing, no IPsec ESP can be seen in the packets through the tunnel. I'm not sure if the messages below from /var/log/audit/audit.log are related. 

[root@dell-per730-04 ipsec]# cat /var/log/audit/audit.log | grep ipsec
type=SERVICE_STOP msg=audit(1611225712.678:1066): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1611225718.234:1074): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1075): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1075): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=7f0ddddad9a0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1076): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1076): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1077): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1077): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1078): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1078): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1079): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1079): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1080): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225718.606:1080): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=SERVICE_START msg=audit(1611225718.607:1081): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1611225718.632:1082): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1611225723.664:1084): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1085): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1085): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=7f06f998e9a0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1086): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1086): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1087): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1087): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1088): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1088): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1089): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1089): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1090): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225724.027:1090): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=SERVICE_START msg=audit(1611225724.028:1091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1611225850.286:1096): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=MAC_IPSEC_EVENT msg=audit(1611225850.670:1097): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.670:1097): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=7f783e0779a0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1098): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.671:1098): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1099): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.671:1099): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1100): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.671:1100): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1101): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.671:1101): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1102): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset"
type=SYSCALL msg=audit(1611225850.671:1102): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=SERVICE_START msg=audit(1611225850.671:1103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
[root@dell-per730-04 ipsec]#

Comment 34 Aaron Conole 2021-01-21 19:00:56 UTC

Please include the following information:

ls -lahZ /path/to/keyfiles/*

and /var/log/openvswitch/ovs-monitor-ipsec.log

I found that I could reproduce similar behavior to 
you, where there aren't any audited issues, but that
is due to the selinux label of the key files.

We probably need to document what those labels
should be, but since they are user supplied, we cannot
enforce a specific label scheme.

Comment 35 qding 2021-01-22 01:43:38 UTC

Created attachment 1749600 [details]
ovs-monitor-ipsec.log

(In reply to Aaron Conole from comment #34)
> Please include the following information:
> 
> ls -lahZ /path/to/keyfiles/*

[root@dell-per730-04 ipsec]# ls -lahZ /tmp/keys/*
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h1-cert.pem
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h1-privkey.pem
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h1-req.pem
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h2-cert.pem
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h2-privkey.pem
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h2-req.pem
[root@dell-per730-04 ipsec]# 


> 
> and /var/log/openvswitch/ovs-monitor-ipsec.log

Please see the attachment ovs-monitor-ipsec.log

> 
> I found that I could reproduce similar behavior to 
> you, where there aren't any audited issues, but that
> is due to the selinux label of the key files.
> 
> We probably need to document what those labels
> should be, but since they are user supplied, we cannot
> enforce a specific label scheme.

Thanks

Comment 36 Aaron Conole 2021-01-22 02:02:12 UTC

Try making the change to your key file area:

chcon -R -t ipsec_key_file_t /tmp/keys

This will label your key files with the expected labels.

I see from the logs:


 2021-01-22T01:41:35.376Z |  66 | ovs-monitor-ipsec | WARN | b"Can't open /tmp/keys/h1-cert.pem for reading, Permission denied\n139991330424640:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:69:fopen('/tmp/keys/h1-cert.pem','r')\n139991330424640:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:78:\nunable to load certificate\n"

which may be a suppressed MAC control error w.r.t. the user_tmp_t label.

Comment 37 qding 2021-01-22 03:49:32 UTC

(In reply to Aaron Conole from comment #36)
> Try making the change to your key file area:
> 
> chcon -R -t ipsec_key_file_t /tmp/keys
> 
> This will label your key files with the expected labels.
> 

The solution solves the issue. And currently all three modes work well. Thank you.
Beaker job: https://beaker.engineering.redhat.com/jobs/5022051

Comment 42 Mark Gray 2021-01-28 23:01:06 UTC

Created attachment 1751885 [details]
Audit logs for AVC when running ovs-appctl

Comment 45 errata-xmlrpc 2021-02-03 21:22:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0405

Note You need to log in before you can comment on or make changes to this bug.