Bug 1848355

Summary: default label for the /run/strongswan directory is not correct
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 8.3CC: jan.public, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.4   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:57:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-06-18 08:34:26 UTC 
Description of problem:
If the strongswan service is running and the root user executes "restorecon -Rv /run", then certain strongswan files get mislabeled and restart of the service becomes difficult.

# restorecon -Rv /run
Relabeled /run/strongswan/charon.vici from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
Relabeled /run/strongswan/charon.ctl from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
Relabeled /run/strongswan/charon.dck from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
#

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-45.el8.noarch
selinux-policy-devel-3.14.3-45.el8.noarch
selinux-policy-doc-3.14.3-45.el8.noarch
selinux-policy-sandbox-3.14.3-45.el8.noarch
selinux-policy-targeted-3.14.3-45.el8.noarch
strongswan-5.8.2-5.el8.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-8.3 machine (targeted policy is active)
2. run the following automated TC:
 * TC#57320 - /CoreOS/selinux-policy/Regression/strongswan-and-similar
3. search for SELinux denials

Actual results:
# matchpathcon /run/strongswan/
/run/strongswan	system_u:object_r:var_run_t:s0
#
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.508:972) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.508:972) : item=1 name=/run/strongswan/charon.dck inode=278724 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.508:972) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.508:972) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.508:972) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e2f2 a1=0x1 a2=0x0 a3=0x12 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.508:972) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.dck dev="tmpfs" ino=278724 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.517:973) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.517:973) : item=1 name=/run/strongswan/charon.ctl inode=278735 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.517:973) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.517:973) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.517:973) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e342 a1=0x1 a2=0x0 a3=0x558ad86751d0 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.517:973) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.ctl dev="tmpfs" ino=278735 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.517:974) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.517:974) : item=1 name=/run/strongswan/charon.vici inode=278737 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.517:974) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.517:974) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.517:974) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e2d2 a1=0x1 a2=0x0 a3=0x558ad8673be0 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.517:974) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.vici dev="tmpfs" ino=278737 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----

Expected results:
# matchpathcon /run/strongswan/
/run/strongswan system_u:object_r:ipsec_var_run_t:s0
#
And no SELinux denials.

Additional information:
 * the strongswan package comes from EPEL
Comment 4 Zdenek Pytela 2021-02-10 21:19:10 UTC 
Should suffice to backport:
commit a9a124efb4b03f40c01b66a73deb59f364281f86
Author: Zdenek Pytela <zpytela>
Date:   Mon Mar 23 16:05:26 2020 +0100

    Allow ipsec_t connectto ipsec_mgmt_t

    Allow ipsec_t connectto ipsec_mgmt_t using unix_stream_socket.
    Label /run/strongswan with ipsec_var_run_t.

    Resolves: rhbz#1815983
Comment 14 errata-xmlrpc 2021-05-18 14:57:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639