Bug 1287182

Libreswan does not work because of selinux avc denials. I was not able to verify bug 1284759.

Which version of selinux-policy was installed on your machine?

selinux-policy-3.7.19-279.el6_7.7

Package selinux-policy-3.7.19-283.el6 returns:
time->Wed Dec  2 09:04:33 2015
type=SYSCALL msg=audit(1449043473.803:43): arch=c000003e syscall=268 success=no exit=-13 a0=ffffffffffffff9c a1=f9c0f0 a2=1c0 a3=0 items=0 ppid=4421 pid=4428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043473.803:43): avc:  denied  { setattr } for  pid=4428 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:04:35 2015
type=SYSCALL msg=audit(1449043475.806:44): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=0 items=0 ppid=4869 pid=4870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043475.806:44): avc:  denied  { create } for  pid=4870 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket

Based on "success=no", it's clear that AVCs were triggered in enforcing mode. Could you re-run the same scenario in permissive mode (after setenforce 0)? Please collect the AVCs triggered in permissive mode and attach them here. Thanks

What's the mode of /var/run/pluto dir when installed from package? It should be 0700,root,root - if mode is correct there is no avc from that one.

Second one is caused by first problem.

Milos Malik:

time->Wed Dec  2 09:46:16 2015
type=SYSCALL msg=audit(1449045976.694:99): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=13500f0 a2=1c0 a3=0 items=0 ppid=6385 pid=6392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045976.694:99): avc:  denied  { setattr } for  pid=6392 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.730:100): arch=c000003e syscall=41 success=yes exit=0 a0=10 a1=2 a2=0 a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.730:100): avc:  denied  { create } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.731:101): arch=c000003e syscall=44 success=yes exit=28 a0=0 a1=7fffe0c09750 a2=1c a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.731:101): avc:  denied  { nlmsg_read } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket


Tuomo Soini:
drwx------. 2 root      root      4096 Dec  2 09:46 pluto

(In reply to Vera Budikova from comment #2)
> Libreswan does not work because of selinux avc denials. I was not able to
> verify bug 1284759.

Could you please turn selinux into permissive mode and execute at least some important tests to make sure there are no problems in NM-openswan? Also, it is important to test NM-openswan with both:

a) openswan (available in rhel6 already)
b) libreswan (available via ER#21587)

a) No AVCs with openswan in permissive mode:
NetworkManager-openswan-0.8.0-9.el6_7.x86_64
openswan-2.6.32-37.el6.x86_64

b) You can see AVCs with libreswan in comment9.

(In reply to Vera Budikova from comment #12)
> a) No AVCs with openswan in permissive mode:
> NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> openswan-2.6.32-37.el6.x86_64
> 
> b) You can see AVCs with libreswan in comment9.

Good news indeed, thank you! We will have selinux-policy fix available tomorrow, hopefully.

Paul confirmed spec has:

%attr(0755,root,root) %dir %{_localstatedir}/run/pluto

So there is a packaging error too.

(In reply to Ondrej Moriš from comment #13)
> (In reply to Vera Budikova from comment #12)
> > a) No AVCs with openswan in permissive mode:
> > NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> > openswan-2.6.32-37.el6.x86_64
> > 
> > b) You can see AVCs with libreswan in comment9.
> 
> Good news indeed, thank you! We will have selinux-policy fix available
> tomorrow, hopefully.

should we file a bug to make the dir 0700 ?

Yes, that should be changed because when ipsec starts up, it runs setup which changes mode of /var/run/pluto to 0700. And that causes totally unnecessary rpm verify error for directory mode.

(In reply to Paul Wouters from comment #15)
> should we file a bug to make the dir 0700 ?

We can fix that, but it will solve only failed rpm --verify, I suggest to live without it at the moment, we would need 6.7.z clone, acks and batch update 4 deadline for QA is approaching (12-8)., Anyway, it will not solve setattr AVC which is caused by selinux-policy because ipsec_mgmt_t cannot call setattr_t on dir AFAIK.

(In reply to Tuomo Soini from comment #16)
> Yes, that should be changed because when ipsec starts up, it runs setup
> which changes mode of /var/run/pluto to 0700. And that causes totally
> unnecessary rpm verify error for directory mode.

See above. Second AVC is not caused by the first one, really. There are actually two chmod calls during ipsec start, first is from ipsec initscript - it succeeds (because selinux-policy allows it), second is in /usr/libexec/ipsec/setup and it fails because selinux-policy denies it (see above). Basically, one of those two is redundant here but it is not a problem at all.

We definitely need to fix all AVC mentioned in c#9 in selinux-policy  at this moment.

I have been running libreswan for years with selinux enabled on rhel6 based platform. No, if that mode is fixed selinux change is not needed because chmod doesn't do anything if mode is already correct.

OK then, let me correct myself, changing specfile _will fix_ the first AVC (setattr) but we still need to correct selinux-policy as well, because someone might remove /var/run/pluto (for whatever reason). ipsec service can handle that my creating it again and then it calls chmod 700 which would be rejected by selinux-policy. Thus I am proposing the following:

  * let's correct specfile (BZ#1288086) [not necessarily in 6.7.4]
  * let's correct all AVC from c#9 in selinux-policy:

    allow ipsec_mgmt_t ipsec_var_run_t:dir setattr;
    allow ipsec_mgmt_t self:netlink_route_socket { create nlmsg_read };
    allow ipsec_mgmt_t self:netlink_route_sockettime->Wed nlmsg_read;

    (afaik)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html