Bug 189749

Summary: no acces to /proc/sys/net/ipv4/route/flush from openswan
Product: [Fedora] Fedora Reporter: Artur Lipowski <alipowski>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:02:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Artur Lipowski 2006-04-24 11:37:45 UTC
Description of problem:
during ipsec startup i got following errors from "ipsec barf" command:
Apr 24 12:00:28 fw1 pluto[20039]: "roadwarrior"[2] 83.19.215.114 #4: up-client
output: Cannot open "/proc/sys/net/ipv4/route/flush"
Apr 24 12:00:28 fw1 pluto[20039]: "roadwarrior"[2] 83.19.215.114 #4:
route-client output: Cannot open "/proc/sys/net/ipv4/route/flush"

and audit reports following issues:
type=AVC msg=audit(1145873089.975:11821): avc:  denied  { write } for  pid=20183
comm="ip" name="flush" dev=proc ino=-268435297
scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0
tclass=filetype=SYSCALL msg=audit(1145873089.975:11821): arch=40000003 syscall=5
success=no exit=-13 a0=8069024 a1=1 a2=0 a3=1 items=1 pid=20183 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip"
type=CWD msg=audit(1145873089.975:11821):  cwd="/"
type=PATH msg=audit(1145873089.975:11821): item=0
name="/proc/sys/net/ipv4/route/flush" flags=101  inode=4026531999 dev=00:03
mode=0100200 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.29-3.fc5
openswan-2.4.4-1.1.2.1

How reproducible:
always

Steps to Reproduce:
1. start ipsec with defined connections
  
Expected results:
no such messages and working VPN

Comment 2 Daniel Walsh 2006-05-09 15:27:14 UTC
fixed in selinux-policy-2.2.38-1.FC5

Comment 3 Artur Lipowski 2006-05-11 11:36:11 UTC
Still no luck:
type=AVC msg=audit(1147344521.251:767): avc:  denied  { read } for  pid=2757
comm="ip" name="urandom" dev=tmpfs ino=1996
 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1147344521.251:767): avc:  denied  { read write } for 
pid=2757 comm="ip" name="[4421]" dev=sockfs in
o=4421 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1147344521.251:767): arch=40000003 syscall=11 success=yes
exit=0 a0=9f6b550 a1=9f6b7e0 a2=9f76d18
 a3=9f6b490 items=2 pid=2757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbi
n/ip"
type=AVC_PATH msg=audit(1147344521.251:767):  path="socket:[4421]"
type=AVC_PATH msg=audit(1147344521.251:767):  path="/dev/urandom"
type=CWD msg=audit(1147344521.251:767):  cwd="/"
type=PATH msg=audit(1147344521.251:767): item=0 name="/sbin/ip" flags=101 
inode=2107169 dev=08:13 mode=0100755 ouid=0 o
gid=0 rdev=00:00
type=PATH msg=audit(1147344521.251:767): item=1 flags=101  inode=875465
dev=08:13 mode=0100755 ouid=0 ogid=0 rdev=00:00

Comment 4 Daniel Walsh 2006-05-11 14:09:28 UTC
Could you 

setenforce 0

Run through a full connection.

Grab all the AVC messages and submit them.

Thanks.

Dan

Comment 5 Daniel Walsh 2006-05-11 14:10:34 UTC
Also do you know which daemon is running un the the initrc_t context that ip is
trying to talk to with unix_stream_socket?

Dan

Comment 6 Artur Lipowski 2006-05-17 18:54:38 UTC
In enforcing mode:
103. 05/17/2006 02:51:19 PM /sbin/ip 11 yes /sbin/ip -1 4605
104. 05/17/2006 02:51:20 PM /sbin/ip 11 yes /sbin/ip -1 4606
105. 05/17/2006 02:51:20 PM /proc/sys/net/ipv4/route/flush 5 no /sbin/ip -1 4607
106. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 161
107. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 162
108. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 163
109. 05/17/2006 02:55:22 PM /proc/sys/net/ipv4/route/flush 5 no /sbin/ip -1 164

752. 05/17/2006 02:51:19 PM ip system_u:system_r:ifconfig_t:s0 11
unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 4605
753. 05/17/2006 02:51:20 PM ip system_u:system_r:ifconfig_t:s0 11
unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 4606
754. 05/17/2006 02:51:20 PM ip system_u:system_r:ifconfig_t:s0 5 file write
system_u:object_r:sysctl_net_t:s0 denied 4607
755. 05/17/2006 02:51:21 PM ip system_u:system_r:ifconfig_t:s0 102
netlink_xfrm_socket create system_u:system_r:ifconfig_t:s0 denied 4608

In permissive mode:
137. 05/17/2006 03:31:24 PM /sbin/ip 11 yes /sbin/ip -1 361
138. 05/17/2006 03:31:24 PM /proc/sys/net/ipv4/route/flush 5 yes /sbin/ip -1 362
139. 05/17/2006 03:31:28 PM /sbin/ip 11 yes /sbin/ip 0 373
140. 05/17/2006 03:31:28 PM /proc/sys/net/ipv4/route/flush 5 yes /sbin/ip 0 374

928. 05/17/2006 03:31:24 PM ip system_u:system_r:ifconfig_t:s0 11
unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 361
929. 05/17/2006 03:31:24 PM ip system_u:system_r:ifconfig_t:s0 5 file write
system_u:object_r:sysctl_net_t:s0 denied 362
930. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket create root:system_r:ifconfig_t:s0 denied 363
931. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket setopt root:system_r:ifconfig_t:s0 denied 364
932. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket bind root:system_r:ifconfig_t:s0 denied 365
933. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket getattr root:system_r:ifconfig_t:s0 denied 366
934. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket write root:system_r:ifconfig_t:s0 denied 367
935. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102
netlink_xfrm_socket read root:system_r:ifconfig_t:s0 denied 368
936. 05/17/2006 03:31:28 PM ip root:system_r:ifconfig_t:s0 11 unix_stream_socket
read system_u:object_r:urandom_device_t:s0 denied 373
937. 05/17/2006 03:31:28 PM ip root:system_r:ifconfig_t:s0 5 file write
system_u:object_r:sysctl_net_t:s0 denied 374

Apropos "talking" to unix_stream_socket. Here is a full list of "normal"
processess on this server.
  PID TTY      STAT   TIME COMMAND
    1 ?        S      0:01 init [3]
    2 ?        S      0:00 [migration/0]
    3 ?        SN     0:00 [ksoftirqd/0]
    4 ?        S      0:00 [watchdog/0]
    5 ?        S      0:00 [migration/1]
    6 ?        SN     0:00 [ksoftirqd/1]
    7 ?        S      0:00 [watchdog/1]
    8 ?        S<     0:00 [events/0]
    9 ?        S<     0:00 [events/1]
   10 ?        S<     0:00 [khelper]
   11 ?        S<     0:00 [kthread]
   14 ?        S<     0:00 [kblockd/0]
   15 ?        S<     0:00 [kblockd/1]
   16 ?        S<     0:00 [kacpid]
  143 ?        S      0:00 [pdflush]
  144 ?        S      0:02 [pdflush]
  145 ?        S      0:00 [kswapd0]
  146 ?        S<     0:00 [aio/0]
  147 ?        S<     0:00 [aio/1]
  225 ?        S<     0:00 [kseriod]
  264 ?        S<     0:00 [ata/0]
  265 ?        S<     0:00 [ata/1]
  267 ?        S<     0:00 [scsi_eh_0]
  268 ?        S<     0:00 [scsi_eh_1]
  282 ?        S      0:00 [kirqd]
  288 ?        S      0:00 [kjournald]
  354 ?        S<s    0:00 /sbin/udevd -d
  512 ?        S<     0:00 [kpsmoused]
  864 ?        S      0:00 [kjournald]
  866 ?        S      0:18 [kjournald]
  946 ?        Ss     0:00 cpuspeed -d -n
  947 ?        S      0:00 cpuspeed -d -n
 1315 ?        S<sl   0:03 auditd
 1317 ?        S<     0:00 [kauditd]
 1328 ?        Ss     0:09 syslogd -m 0
 1331 ?        Ss     0:00 klogd -x
 1340 ?        Ss     0:03 irqbalance
 1347 ?        Ssl    0:00 dbus-daemon --system
 1356 ?        Ss     0:00 /usr/sbin/acpid
 1585 ?        Ss     0:02 /usr/sbin/sshd
 1640 ?        Ss     0:00 /usr/sbin/apcupsd -f /etc/apcupsd/apcupsd.conf
 1648 ?        Ss     0:00 crond
 1710 ?        Ss     0:00 /usr/sbin/atd
 1718 ?        Ss     0:02 hald
 1719 ?        S      0:00 hald-runner
 1725 ?        S      0:00 /usr/libexec/hald-addon-acpi
 1729 ?        S      0:00 /usr/libexec/hald-addon-keyboard
 1738 ?        S      0:08 /usr/libexec/hald-addon-storage
 1745 tty2     Ss+    0:00 /sbin/mingetty tty2
 1746 tty3     Ss+    0:00 /sbin/mingetty tty3
 1747 tty4     Ss+    0:00 /sbin/mingetty tty4
 1748 tty5     Ss+    0:00 /sbin/mingetty tty5
 1749 tty6     Ss+    0:00 /sbin/mingetty tty6
 1838 tty1     Ss+    0:00 /sbin/mingetty tty1
 2132 ?        Ss     0:00 squid -D
 2134 ?        S      0:58 (squid) -D
 2136 ?        Ss     0:01 (unlinkd)
 2278 ?        S      0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids
yes --nocrsend  --strictcrlpolicy  --nat_traversal yes
 2279 ?        S      0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids
yes --nocrsend  --strictcrlpolicy  --nat_traversal yes
 2280 ?        S      0:00 logger -s -p daemon.error -t ipsec__plutorun
 2281 ?        S      0:00 /usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqu
 2282 ?        S      0:00 /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
 2286 ?        SN     0:00 pluto helper  #  0
 2316 ?        S      0:00 _pluto_adns
 9149 ?        Ss     0:02 sshd: root@pts/0
 9153 pts/0    Ss     0:00 -bash
 9538 pts/0    R+     0:00 ps ax


Comment 7 Daniel Walsh 2006-05-17 19:11:26 UTC
Can you do the ps list with a -Z,  I want to see which processes are running as
initrc_t.  Also can you attach avc messages from /var/log/messages.

Comment 8 Daniel Walsh 2007-03-28 20:02:39 UTC
Closing bugs