Bug 1401589

Summary: AVC denials when ipsec was started on ppc64
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.9CC: dwalsh, lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-07 09:35:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrik Kis 2016-12-05 15:54:29 UTC 
Description of problem:
The following AVC denial were reported while starting ipsec. The issue was seen only on ppc64, but it still might be not architecture related. It was a slower virtual machine, that could have an effect on the result too.

----
time->Sat Dec  3 09:56:56 2016
type=SOCKETCALL msg=audit(1480777016.641:1439): nargs=3 a0=2 a1=3 a2=ff
type=SYSCALL msg=audit(1480777016.641:1439): arch=80000015 syscall=102 success=no exit=-13 a0=1 a1=ffff2fede10 a2=ff a3=fffffffffefefeff items=0 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480777016.641:1439): avc:  denied  { create } for  pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tclass=rawip_socket
----
time->Sat Dec  3 09:56:56 2016
type=PATH msg=audit(1480777016.641:1440): item=0 name="/proc/sys/kernel/modprobe" inode=6810 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL
type=CWD msg=audit(1480777016.641:1440):  cwd="/"
type=SYSCALL msg=audit(1480777016.641:1440): arch=80000015 syscall=5 success=no exit=-13 a0=80b3858250 a1=0 a2=0 a3=fffffffffefefeff items=1 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480777016.641:1440): avc:  denied  { read } for  pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
----

The ipsec daemon noticed the issue:

# service ipsec start
Starting pluto IKE daemon for IPsec: Migrating NSS db to sql:/etc/ipsec.d
Password changed successfully.
upgrade complete!
NSS upgrade complete
iptables v1.4.7: can't initialize iptables table `filter': Permission denied
Perhaps iptables or your kernel needs to be upgraded.

Not sure if this should be allowed or not. If yes, please add it to the policy or forward the case to libreswan if they are doing something they should not.


Version-Release number of selected component (if applicable):
libreswan-3.15-7.el6.1
selinux-policy-3.7.19-305.el6


How reproducible:
seen only once

Steps to Reproduce:
There is not reliable reproducer.
Comment 2 Milos Malik 2016-12-05 16:20:28 UTC 
libreswan starts iptables, but iptables stays running as ipsec_mgmt_t, which is unexpected, because policy contains necessary rules for the transition. Maybe iptables was incorrectly labeled on filesystem.
Comment 4 Milos Malik 2016-12-05 16:52:28 UTC 
If libreswan starts iptables then following symbolic links have to be traversed to get to the iptables_exec_t context. Why is it so complicated?

# ls -Z `which iptables`
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /sbin/iptables -> /etc/alternatives/iptables.ppc64
# ls -Z /etc/alternatives/iptables.ppc64
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/iptables.ppc64 -> /sbin/iptables-1.4.7
# ls -Z /sbin/iptables-1.4.7
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables-1.4.7 -> iptables-multi
# ls -Z /sbin/iptables-multi
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /sbin/iptables-multi -> /etc/alternatives/sbin-iptables-multi.ppc64
# ls -Z /etc/alternatives/sbin-iptables-multi.ppc64
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/sbin-iptables-multi.ppc64 -> /sbin/iptables-multi-1.4.7
# ls -Z /sbin/iptables-multi-1.4.7 
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7
#
Comment 7 Lukas Vrabec 2016-12-07 09:35:39 UTC 
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.