Description of problem: [root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec Job for openvswitch-ipsec.service failed because the control process exited with error code. See "systemctl status openvswitch-ipsec.service" and "journalctl -xe" for details. [root@dell-per730-04 ~]# journalctl -xe -- -- The unit openvswitch-ipsec.service has entered the 'failed' state with result 'exit-code'. Dec 10 01:03:08 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start OVS IPsec daemon. -- Subject: Unit openvswitch-ipsec.service has failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit openvswitch-ipsec.service has failed. -- -- The result is failed. Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Starting OVS IPsec daemon... -- Subject: Unit openvswitch-ipsec.service has begun start-up -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit openvswitch-ipsec.service has begun starting up. Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: 2020-12-10T06:03:12Z | 0 | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system. Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[28626]: ovs| 0 | ovs-monitor-ipsec | ERR | IKE daemon is not installed in the system. Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: 2020-12-10T06:03:12Z | 1 | ovs-monitor-ipsec | ERR | traceback Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: Traceback (most recent call last): Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1237, in <module> Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: main() Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1184, in main Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: monitor = IPsecMonitor(root_prefix, args.ike_daemon) Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 952, in __init__ Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: self.ike_helper.restart_ike_daemon() Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: f = open(self.IPSEC_CONF, "w") Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[28610]: PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf' Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[28626]: ovs| 1 | ovs-monitor-ipsec | ERR | traceback Traceback (most recent call last): File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1237, in <module> main() File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 1184, in main monitor = IPsecMonitor(root_prefix, args.ike_daemon) File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 952, in __init__ self.ike_helper.restart_ike_daemon() File "/usr/share/openvswitch/scripts/ovs-monitor-ipsec", line 454, in restart_ike_daemon f = open(self.IPSEC_CONF, "w") PermissionError: [Errno 13] Permission denied: '/etc/ipsec.conf' Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Control process exited, code=exited status=1 Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- The unit openvswitch-ipsec.service has entered the 'failed' state with result 'exit-code'. Dec 10 01:03:12 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start OVS IPsec daemon. -- Subject: Unit openvswitch-ipsec.service has failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit openvswitch-ipsec.service has failed. -- -- The result is failed. [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# getenforce Enforcing [root@dell-per730-04 ~]# setenforce 0 [root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec [root@dell-per730-04 ~]# Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch [root@dell-per730-04 ~]# How reproducible: always Steps to Reproduce: 1. systemctl start openvswitch-ipsec 2. 3. Actual results: openvswitch-ipsec service fails Expected results: openvswitch-ipsec service starts successfully Additional info: The package is not for FDP20.I, but I cannot find more suitable one.
Please include: 1. ls -laZ /etc/ipsec.conf 2. ps aux | grep ovs 3. /var/log/audit/audit.log
Reassigning to openvswitch-selinux-extra-policy
Created attachment 1739625 [details] audit.log (In reply to Aaron Conole from comment #1) > Please include: > > 1. ls -laZ /etc/ipsec.conf [root@dell-per730-05 ~]# ls -laZ /etc/ipsec.conf -rw-r--r--. 1 root root system_u:object_r:ipsec_conf_file_t:s0 1557 Nov 3 09:54 /etc/ipsec.conf > 2. ps aux | grep ovs [root@dell-per730-05 ~]# ps aux | grep ovs openvsw+ 20078 0.0 0.0 77044 7728 ? S<s 07:40 0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach openvsw+ 20137 0.0 0.1 92644 51504 ? S<Ls 07:40 0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach root 20173 0.0 0.0 12108 1068 pts/0 S+ 07:42 0:00 grep --color=auto ovs [root@dell-per730-05 ~]# > 3. /var/log/audit/audit.log Please see the attachment audit.log
Created attachment 1740111 [details] audit log for rhel7 Package for RHEL7 has the same issue when SELinux is Enforcing. [root@dell-per730-04 ~]# uname -r 3.10.0-1160.11.1.el7.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ls -laZ /etc/ipsec.conf -rw-r--r--. root root system_u:object_r:ipsec_conf_file_t:s0 /etc/ipsec.conf [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ps aux | grep ovs openvsw+ 10534 0.0 0.0 60064 2780 ? S<s 22:46 0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach openvsw+ 10591 0.0 0.0 62572 15384 ? S<Ls 22:46 0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach root 11278 0.0 0.0 132120 11048 ? Ss 22:47 0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock root 11279 0.0 0.0 132120 12264 ? S 22:47 0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock root 11303 0.0 0.0 112812 964 pts/0 S+ 22:54 0:00 grep --color=auto ovs [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]#
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34228760
Created attachment 1747309 [details] audit log for permissive Steps to setup as below. Please see the audit_permissive.log [root@dell-per730-04 ~]# nmcli dev set eno1np0 managed no [root@dell-per730-04 ~]# ip add add 192.168.123.1/24 dev eno1np0 [root@dell-per730-04 ~]# systemctl restart openvswitch [root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123 ovs-vsctl: no bridge named ovsbr0 [root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0 [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123 [root@dell-per730-04 ~]# ip link set ovsbr0 up [root@dell-per730-04 ~]# ip add add 172.16.30.1/24 dev ovsbr0 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ip add l 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff inet 10.73.88.41/23 brd 10.73.89.255 scope global dynamic noprefixroute eno1 valid_lft 42450sec preferred_lft 42450sec inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global dynamic noprefixroute valid_lft 2591901sec preferred_lft 604701sec inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff 4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff 5: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff 6: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff 7: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff 8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff inet 192.168.123.1/24 scope global eno1np0 valid_lft forever preferred_lft forever 9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff 10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether b6:62:d2:aa:84:60 brd ff:ff:ff:ff:ff:ff 12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0a:e7:01:12:50:4d brd ff:ff:ff:ff:ff:ff inet 172.16.30.1/24 scope global ovsbr0 valid_lft forever preferred_lft forever inet6 fe80::8e7:1ff:fe12:504d/64 scope link valid_lft forever preferred_lft forever 13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000 link/gre 0.0.0.0 brd 0.0.0.0 14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 16: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc fq_codel master ovs-system state UNKNOWN group default qlen 1000 link/ether b6:7d:6b:a4:1c:fe brd ff:ff:ff:ff:ff:ff inet6 fe80::b47d:6bff:fea4:1cfe/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-04 ~]# cat /etc/ipsec.conf # Generated by ovs-monitor-ipsec...do not modify by hand! config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist conn tun123-1 left=192.168.123.1 right=192.168.123.2 authby=secret leftprotoport=gre rightprotoport=gre [root@dell-per730-04 ~]# ovs-vsctl show 3f83e055-0f31-4935-b05e-ba82261dd80c Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]#
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34275641
Created attachment 1747702 [details] audit log for self signed certificate
Created attachment 1747703 [details] audit log for CA signed certificate
Latest build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34299607 It will resolve all but one class of AVCs. The class to which I'm refering: type=AVC msg=audit(1610697438.686:243): avc: denied { read } for pid=24057 comm="openssl" name="h1-cert.pem" dev="dm-0" ino=134568189 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 This AVC is stating that you want the policy to allow openvswitch_t to read /root but we don't give such access to the openvswitch_t domain. Can you update your steps to include placing the psk into /tmp or somewhere that would be a more likely production location? I think it's inappropriate for /root to be accessible to the openvswitch domain.
Created attachment 1748383 [details] audit_self_signed_1.log With openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch, self-signed certificate and CA-signed mode still don't work. Please see the attached log for self-signed certificate mode and the trace below. [root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:57:15.955803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 25011, offset 0, flags [DF], proto GRE (47), length 122) 192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102 26:57:a3:07:c3:46 > 62:0c:8d:ca:2a:41, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 56144, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.123.1 > 172.16.123.2: ICMP echo request, id 44620, seq 7, length 64 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# setenforce permissive [root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:57:50.771791 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 42000, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x4), length 136 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ipsec]# setenforce enforcing [root@dell-per730-04 ipsec]# getenforce Enforcing [root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:59:21.907810 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 28057, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x62), length 136 1 packet captured 1 packet received by filter 0 packets dropped by kernel [root@dell-per730-04 ipsec]#
For self-signed certificate mode, after setenforce to permissive ESP can be tcpdumped, but for CA-signed certificate, systemctl restart openvswitch-ipsec is needed before ESP can be seen. Please see the trace below. [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:31:03.731803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 47503, offset 0, flags [DF], proto GRE (47), length 122) 192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102 72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 11072, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 12, length 64 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# setenforce permissive [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:31:23.187763 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 58636, offset 0, flags [DF], proto GRE (47), length 122) 192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102 72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 18912, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 31, length 64 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:32:03.123771 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 11364, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0x9), length 136 03:32:03.123973 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 40643, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0x9), length 136 03:32:04.147794 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 12291, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0xa), length 136 03:32:04.147945 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 41139, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0xa), length 136 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]#
Created attachment 1748615 [details] audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp
Created attachment 1748616 [details] audit log for CA signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp
Created attachment 1748913 [details] audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-27.el8fdp (In reply to Aaron Conole from comment #27) > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34369487 > > This build should resolve the perf_event issue. The build still has issue. Please see the attached audit_27.log. Thanks.
Created attachment 1748921 [details] audit log for 27 with permissive The attachment in comment#28 is for selinux enforcing. This one is for selinux permissive. Thanks. [root@dell-per730-04 ipsec]# rpm -qa | grep selin selinux-policy-targeted-3.14.3-60.el8.noarch libselinux-2.9-5.el8.x86_64 selinux-policy-3.14.3-60.el8.noarch python3-libselinux-2.9-5.el8.x86_64 libselinux-utils-2.9-5.el8.x86_64 openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch rpm-plugin-selinux-4.14.3-4.el8.x86_64 [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch openvswitch2.13-2.13.0-79.el8fdp.x86_64 kernel-kernel-networking-openvswitch-ipsec-1.0-7.noarch [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# uname -a Linux dell-per730-04.rhts.eng.pek2.redhat.com 4.18.0-275.el8.x86_64 #1 SMP Sat Jan 16 07:11:30 EST 2021 x86_64 x86_64 x86_64 GNU/Linux [root@dell-per730-04 ipsec]#
With selinux Enforcing, RHEL-8.3.0-updates-20201210.2 doesn't work for self-signed and CA-signed certificate modes either. [root@dell-per730-04 ipsec]# uname -r 4.18.0-240.8.1.el8_3.x86_64
With selinux Enforcing, RHEL-8.3.0 doesn't work for self-signed and CA-signed certificate modes either. [root@dell-per730-04 ~]# rpm -qa | grep selinux selinux-policy-3.14.3-54.el8.noarch libselinux-2.9-3.el8.x86_64 libselinux-utils-2.9-3.el8.x86_64 rpm-plugin-selinux-4.14.3-4.el8.x86_64 selinux-policy-targeted-3.14.3-54.el8.noarch python3-libselinux-2.9-3.el8.x86_64 openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch [root@dell-per730-04 ~]# uname -r 4.18.0-240.el8.x86_64 [root@dell-per730-04 ~]#
The only selinux issue is: 05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8} ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC /tmp/mozilla_aconole0/audit_27_permissive.log type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" No other AVCs logged, and that is a user-emitted AVC. What errors are you getting now?
(In reply to Aaron Conole from comment #32) > The only selinux issue is: > > 05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8} > ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC > /tmp/mozilla_aconole0/audit_27_permissive.log > type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295 > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > msg='avc: received setenforce notice (enforcing=0) > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" > AUID="unset" SAUID="dbus" > > No other AVCs logged, and that is a user-emitted AVC. > > What errors are you getting now? With SELinux Enforcing, no IPsec ESP can be seen in the packets through the tunnel. I'm not sure if the messages below from /var/log/audit/audit.log are related. [root@dell-per730-04 ipsec]# cat /var/log/audit/audit.log | grep ipsec type=SERVICE_STOP msg=audit(1611225712.678:1066): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225718.234:1074): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1075): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1075): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=7f0ddddad9a0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1076): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1076): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1077): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1077): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1078): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1078): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1079): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1079): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1080): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1080): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225718.607:1081): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1611225718.632:1082): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225723.664:1084): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1085): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1085): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=7f06f998e9a0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1086): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1086): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1087): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1087): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1088): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1088): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1089): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1089): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1090): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1090): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225724.028:1091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225850.286:1096): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225850.670:1097): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.670:1097): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=7f783e0779a0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1098): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1098): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1099): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1099): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1100): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1100): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1101): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1101): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1102): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1102): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225850.671:1103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" [root@dell-per730-04 ipsec]#
Please include the following information: ls -lahZ /path/to/keyfiles/* and /var/log/openvswitch/ovs-monitor-ipsec.log I found that I could reproduce similar behavior to you, where there aren't any audited issues, but that is due to the selinux label of the key files. We probably need to document what those labels should be, but since they are user supplied, we cannot enforce a specific label scheme.
Created attachment 1749600 [details] ovs-monitor-ipsec.log (In reply to Aaron Conole from comment #34) > Please include the following information: > > ls -lahZ /path/to/keyfiles/* [root@dell-per730-04 ipsec]# ls -lahZ /tmp/keys/* -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h1-cert.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h1-privkey.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h1-req.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h2-cert.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h2-privkey.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h2-req.pem [root@dell-per730-04 ipsec]# > > and /var/log/openvswitch/ovs-monitor-ipsec.log Please see the attachment ovs-monitor-ipsec.log > > I found that I could reproduce similar behavior to > you, where there aren't any audited issues, but that > is due to the selinux label of the key files. > > We probably need to document what those labels > should be, but since they are user supplied, we cannot > enforce a specific label scheme. Thanks
Try making the change to your key file area: chcon -R -t ipsec_key_file_t /tmp/keys This will label your key files with the expected labels. I see from the logs: 2021-01-22T01:41:35.376Z | 66 | ovs-monitor-ipsec | WARN | b"Can't open /tmp/keys/h1-cert.pem for reading, Permission denied\n139991330424640:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:69:fopen('/tmp/keys/h1-cert.pem','r')\n139991330424640:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:78:\nunable to load certificate\n" which may be a suppressed MAC control error w.r.t. the user_tmp_t label.
(In reply to Aaron Conole from comment #36) > Try making the change to your key file area: > > chcon -R -t ipsec_key_file_t /tmp/keys > > This will label your key files with the expected labels. > The solution solves the issue. And currently all three modes work well. Thank you. Beaker job: https://beaker.engineering.redhat.com/jobs/5022051
Created attachment 1751885 [details] Audit logs for AVC when running ovs-appctl
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0405