Bug 1184978

Summary: selinux prevents libreswan to stop correctly sometimes
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.1CC: lvrabec, mgrepl, mmalik, mvadkert, plautrba, pvrabec, ssekidde, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-21.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:48:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717785    

Description Ondrej Moriš 2015-01-22 15:44:44 UTC 
Description of problem:

The following AVC appears when ipsec is restarted:

type=AVC msg=audit(1421941324.062:4592): avc:  denied  { write } for  pid=26818 comm="ip" path="/var/log/pluto.log" dev="dm-6" ino=147 scontext=system_u:system_r:ifconfig_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ipsec_log_t:s0 tclass=file

The following rule solves the problem:

#============= init_t ==============
allow init_t ipsec_var_run_t:sock_file read;

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-19.el7.noarch
Comment 1 Miroslav Vadkerti 2015-01-22 15:52:44 UTC 
The correct AVC, please ignore the one from the description

----
time->Thu Jan 22 16:39:26 2015
type=SYSCALL msg=audit(1421941166.353:12236): arch=c000003e syscall=21 success=no exit=-13 a0=7f592fad4022 a1=6 a2=0 a3=64 items=0 ppid=1 pid=29617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="whack" exe="/usr/libexec/ipsec/whack" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1421941166.353:12236): avc:  denied  { read } for  pid=29617 comm="whack" name="pluto.ctl" dev="tmpfs" ino=227216 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=sock_file


This module fixes the issue for us:

module whack 1.0;

require {
        type ipsec_var_run_t;
        type init_t;
        class sock_file read;
}

#============= init_t ==============
allow init_t ipsec_var_run_t:sock_file read;
Comment 2 Miroslav Grepl 2015-01-28 08:28:45 UTC 
commit 99935da359e3f9a86013c836b10e5928e1f98241
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 23 06:32:55 2015 +0100

    Update ipsec_manage_pid() interface.
Comment 6 errata-xmlrpc 2015-03-05 10:48:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html