Bug 1916289

Summary:	3.14.3-59.el8 - brakes strongswan 5.8.x
Product:	Red Hat Enterprise Linux 8	Reporter:	lejeczek <peljasz>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED DUPLICATE	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	medium
Version:	CentOS Stream	CC:	lvrabec, mmalik, plautrba, ssekidde
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-02-17 21:06:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description lejeczek 2021-01-14 13:34:01 UTC

Description of problem:

Selinux brakes service start:

-> $ journalctl -lf -o short -u strongswan
-- Logs begin at Thu 2021-01-14 12:22:46 GMT. --
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: HA config misses local/remote address
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: no script for ext-auth script defined, disabled
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: spawning 16 worker threads
Jan 14 13:06:03 dzien.private.pawel swanctl[7191]: no files found matching '/etc/strongswan/strongswan.conf'
Jan 14 13:06:03 dzien.private.pawel swanctl[7191]: abort initialization due to invalid configuration
Jan 14 13:06:03 dzien.private.pawel systemd[1]: strongswan.service: Control process exited, code=exited status=64
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: SIGTERM received, shutting down
Jan 14 13:06:03 dzien.private.pawel systemd[1]: strongswan.service: Failed with result 'exit-code'.
Jan 14 13:06:03 dzien.private.pawel systemd[1]: Failed to start strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Jan 14 13:08:19 dzien.private.pawel systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Jan 14 13:08:19 dzien.private.pawel charon-systemd[7390]: PKCS11 module '<name>' lacks library path



Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-59.el8.noarch
selinux-policy-3.14.3-59.el8.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Milos Malik 2021-01-14 14:30:31 UTC

Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

Comment 2 Milos Malik 2021-01-14 14:35:45 UTC

I see these SELinux denials in permissive mode on my RHEL-8 VM, but I would like to know your SELinux denials:
----
type=PROCTITLE msg=audit(01/14/2021 15:31:52.896:587) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=PATH msg=audit(01/14/2021 15:31:52.896:587) : item=0 name=/etc/strongswan/strongswan.d/charon inode=18033243 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_conf_file_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/14/2021 15:31:52.896:587) : cwd=/ 
type=SYSCALL msg=audit(01/14/2021 15:31:52.896:587) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x7ffe04f2f8e0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22419 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(01/14/2021 15:31:52.896:587) : avc:  denied  { read } for  pid=22419 comm=swanctl name=charon dev="vda2" ino=18033243 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(01/14/2021 15:31:53.068:588) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=PATH msg=audit(01/14/2021 15:31:53.068:588) : item=0 name=/run/strongswan/charon.vici inode=524053 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/14/2021 15:31:53.068:588) : cwd=/ 
type=SOCKADDR msg=audit(01/14/2021 15:31:53.068:588) : saddr={ saddr_fam=local path=/run/strongswan/charon.vici } 
type=SYSCALL msg=audit(01/14/2021 15:31:53.068:588) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x7 a1=0x7ffe04f31450 a2=0x1d a3=0x55fd598a5220 items=1 ppid=1 pid=22419 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(01/14/2021 15:31:53.068:588) : avc:  denied  { write } for  pid=22419 comm=swanctl name=charon.vici dev="tmpfs" ino=524053 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 
----

Comment 3 Milos Malik 2021-01-14 15:28:23 UTC

# rpm -qa selinux-policy\* | sort
selinux-policy-3.14.3-59.el8.noarch
selinux-policy-devel-3.14.3-59.el8.noarch
selinux-policy-targeted-3.14.3-59.el8.noarch
# matchpathcon /etc/strongswan/
/etc/strongswan	system_u:object_r:ipsec_conf_file_t:s0
# matchpathcon /etc/strongswan/strongswan.d/
/etc/strongswan/strongswan.d	system_u:object_r:ipsec_conf_file_t:s0
# matchpathcon /etc/strongswan/strongswan.d/charon
/etc/strongswan/strongswan.d/charon	system_u:object_r:ipsec_conf_file_t:s0
# sesearch -s ipsec_mgmt_t -t ipsec_conf_file_t -c dir -A
#

Comment 4 lejeczek 2021-01-15 15:16:01 UTC

It seems to me these are "silent" denials:

-> $ restorecon -Fv /etc/strongswan/ -R
-> $ ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts 15:12 | egrep -i swan
...
type=PROCTITLE msg=audit(15/01/21 15:13:03.016:9665) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=SYSCALL msg=audit(15/01/21 15:13:03.016:9665) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x7ffc2bc83a10 a1=0x7ffc2bc83aa0 a2=0x7ffc2bc83aa0 a3=0x0 items=0 ppid=1 pid=51674 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(15/01/21 15:13:03.016:9665) : avc:  denied  { search } for  pid=51674 comm=swanctl name=strongswan dev="dm-0" ino=67415444 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0
...

You should be good to reproduce it as my env is nothing but plain vanilla Centos8 stream.

Comment 5 lejeczek 2021-01-15 15:23:39 UTC

I run these:

-> $ rpm -qa \*swan\* | sort
strongswan-5.8.2-5.el8.x86_64
strongswan-libipsec-5.8.2-5.el8.x86_64

-> $ repoquery -i strongswan
Last metadata expiration check: 2:46:16 ago on Fri 15 Jan 2021 12:33:18 GMT.
Name         : strongswan
Version      : 5.8.2
Release      : 5.el8
Architecture : x86_64
Size         : 1.5 M
Source       : strongswan-5.8.2-5.el8.src.rpm
Repository   : epel
Summary      : An OpenSource IPsec-based VPN and TNC solution
URL          : http://www.strongswan.org/
License      : GPLv2+
Description  : The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key
             : exchange protocols in conjunction with the native NETKEY IPsec stack of the
             : Linux kernel.


And just in case, I think we talked about it somewhere else, other bugreport, these swans > 5.8.x use swanctl configs so all is in:
/etc/strongswan/swanctl/
as opposed to earlier vers, in:
/etc/strongswan/ipsec.d/
just in case.

Comment 8 lejeczek 2021-01-31 21:56:16 UTC

Do we have any update on this?
This should be easy to fix as it's very easy to reproduce.
regards, L.

Comment 9 Zdenek Pytela 2021-02-17 21:06:54 UTC


*** This bug has been marked as a duplicate of bug 1889542 ***

Comment 10 lejeczek 2021-03-01 13:01:08 UTC

Could we have in CentOS, Stream perhaps, what is Fedora policies?
Particularly those fcontext bits:

/etc/strongswan/ipsec\.d(/.*)?                     all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/ipsec\.secrets.*                   regular file       system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/bliss/(/.*)?               all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/ecdsa(/.*)?                all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/pkcs.*                     all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/private(/.*)?              all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/pubkey(/.*)?               all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/rsa(/.*)?                  all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/x509.*                     all files          system_u:object_r:ipsec_key_file_t:s0