Bug 1535133
| Summary: | selinux denies ipsec service to read configuration in mls policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ondrej Moriš <omoris> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.5 | CC: | lmiksik, lvrabec, mgrepl, mmalik, omoris, plautrba, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-186.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:49:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The /etc/ipsec.d/audit-test-*.conf files are labeled ipsec_key_file_t, which is not optimal. Does the scenario work if you label the /etc/ipsec.d/audit-test-*.conf files with ipsec_conf_file_t? Following rule is missing and the advice mentioned in comment#2 will not help: allow init_t ipsec_key_file_t:dir read; because # matchpathcon /etc/ipsec.d /etc/ipsec.d system_u:object_r:ipsec_key_file_t:s0 # sesearch -s init_t -t ipsec_key_file_t -c dir -p read -A /etc/selinux/mls/policy/policy.31 # Ondrej, I would say, bigger issue is taht addconn runs under init_t instead of ipsec_t. Could you please change context of addconn to ipsec_exec_t: # chcon -t ipsec_exec_t /usr/libexec/ipsec/addconn and then reproduce the scenario? Thanks, Lukas. Yes, with addconn having ipsec_exec_t context, it works (ie. we do not need rules mentioned in the description). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: Selinux denies ipsec service to read its configuration when MLS selinux-policy is used. It denies read access to /etc/ipsec.d/ configuration directory (system_u:object_r:ipsec_key_file_t:SystemLow): time->Tue Jan 16 17:48:37 2018 type=PROCTITLE msg=audit(1516121317.268:53607): proctitle=2F7573722F6C6962657865632F69707365632F616464636F6E6E002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D636865636B636F6E666967 type=SYSCALL msg=audit(1516121317.268:53607): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7fff40c2f110 a2=90800 a3=0 items=0 ppid=1 pid=4487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:init_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1516121317.268:53607): avc: denied { read } for pid=4487 comm="addconn" name="ipsec.d" dev="dm-0" ino=26031489 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir as well as read, open, ioctl and getattr access to files in this directory. The following rules solved all issues: allow init_t ipsec_key_file_t:dir read; allow init_t ipsec_key_file_t:file read; allow init_t ipsec_key_file_t:file ioctl; allow init_t ipsec_key_file_t:file open; allow init_t ipsec_key_file_t:file getattr; Version-Release number of selected component (if applicable): selinux-policy-mls-3.13.1-183.el7 kernel-3.10.0-823.el7 audit-2.8.1-3.el7 libreswan-3.22-5.el7 How reproducible: 100% in MLS Steps to Reproduce: 1. Use default libreswan configuration. 2. Start ipsec service Actual results: AVC, access to configuration denied: ipsec_starter[4794]: warning: could not open include filename: '/etc/ipsec.d/audit-test-*.conf' Expected results: Configuration can be read and loaded, ipsec service starts successfully. Additional info: This seems to be a regression when compared to RHEL-7.4. This issue is reproducible in MLS policy only! Found during Common Criteria retention testing.