Bug 1931848

Summary: selinux-policy prevents ipsec/pluto to work over TCP
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Khushbu Borole <kborole>
Priority: medium    
Version: 8.4CC: jafiala, kborole, lvrabec, mjahoda, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.5Flags: kborole: needinfo-
kborole: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-68.el8 Doc Type: Bug Fix
Doc Text:
.`selinux-policy` now supports IPsec-based VPNs using TCP encapsulation Since RHEL 8.4, the `libreswan` packages have supported IPsec-based VPNs using TCP encapsulation, but the `selinux-policy` package did not reflect this update. As a consequence, when Libreswan was configured to use TCP, the `ipsec` service failed to bind to the given TCP port. With this update to the `selinux-policy` package, the `ipsec` service can bind and connect to the commonly used TCP port `4500`, and therefore you can use TCP encapsulation in IPsec-based VPNs.
 Story Points: ---
Clone Of:
: 1951471 (view as bug list) Environment:
Last Closed: 2021-11-09 19:42:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2021-02-23 11:55:17 UTC 
Description of problem:

In RHEL-8.4, libreswan added a new feature - IKEv2 / ESP over TCP (BZ#1372050). Current selinux-policy restricts libreswan too much be able to use this feature. Please notice that by default this feature is disabled and it is mostly recommend to use it only if UDP traffic is blocked [1].

[1] https://libreswan.org/wiki/RFC_8229_-_TCP_support_for_IKEv2_and_ESP#When_to_use_TCP_for_IKE_and_EPS

Version-Release number of selected component (if applicable):

libreswan-4.3-1.el8
selinux-policy-3.14.3-63.el8

How reproducible:

100%

Steps to Reproduce:

1. Edit default /etc/ipsec.conf and uncomment listep-tcp=yes in the config section to enable IKEv2 over TCP.

2. Start ipsec service.

3. See audit log.

Actual results:

time->Tue Feb 23 06:35:00 2021
type=PROCTITLE msg=audit(1614080100.606:1029): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SYSCALL msg=audit(1614080100.606:1029): arch=c000003e syscall=49 success=no exit=-13 a0=15 a1=7ffdde04ec34 a2=1c a3=7ffdde04eb30 items=0 ppid=1 pid=35193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1614080100.606:1029): avc:  denied  { name_bind } for  pid=35193 comm="pluto" src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0

Expected results:

No AVCs.

Additional info:

# ausearch -ts 06:34:35 -m AVC | audit2allow

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket name_bind;
Comment 1 Milos Malik 2021-02-23 12:47:10 UTC 
Please re-test with the latest selinux-policy installed.
Comment 2 Milos Malik 2021-02-23 13:02:21 UTC 
I'm sorry. The latest selinux-policy only allows udp_socket:

# sesearch -s ipsec_t -t ipsecnat_port_t -p name_bind -A
allow ipsec_t ipsecnat_port_t:udp_socket name_bind;
#
Comment 3 Milos Malik 2021-02-23 13:54:07 UTC 
Following SELinux denial appeared several times in enforcing mode:
----
type=PROCTITLE msg=audit(02/23/2021 14:52:35.112:1947) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:52:35.112:1947) : saddr={ saddr_fam=inet6 laddr=::1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:52:35.112:1947) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x1b a1=0x7ffd0d3e72d4 a2=0x1c a3=0x7ffd0d3e71d0 items=0 ppid=1 pid=81461 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:52:35.112:1947) : avc:  denied  { name_bind } for  pid=81461 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0 
----
Comment 4 Milos Malik 2021-02-23 13:55:49 UTC 
The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(02/23/2021 14:55:08.761:1977) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:55:08.761:1977) : saddr={ saddr_fam=inet laddr=192.168.124.1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:55:08.761:1977) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x16 a1=0x7ffc25ca0234 a2=0x10 a3=0x7ffc25ca0130 items=0 ppid=1 pid=82438 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:55:08.761:1977) : avc:  denied  { name_bind } for  pid=82438 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1 
----
Comment 11 Ondrej Moriš 2021-03-08 17:35:59 UTC 
I just found out that there is one more AVC:

----
time->Mon Mar  8 12:28:35 2021
type=PROCTITLE msg=audit(1615224515.200:779): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SOCKADDR msg=audit(1615224515.200:779): saddr=020011940A008B240000000000000000
type=SYSCALL msg=audit(1615224515.200:779): arch=c000003e syscall=42 success=yes exit=0 a0=19 a1=7ffc2ba53074 a2=10 a3=0 items=0 ppid=1 pid=17348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1615224515.200:779): avc:  denied  { name_connect } for  pid=17348 comm="pluto" dest=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1

Therefore, the rule we need to add is actually as follows:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };

IOW, not only name_bind for tcp_socket is needed but also name_connect permission.
Comment 12 Ondrej Moriš 2021-03-16 08:30:17 UTC 
Proposing "Known Issue" Doc Type. ESPinTCP feature will be present in RHEL-8.4 and this bug will prevent its usage. Therefore I think it would be good to document this known issue. The only workaround now is to use custom policy module with the following rule:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };
Comment 15 Zdenek Pytela 2021-04-27 18:01:08 UTC 
Merged in rawhide:
commit e3778cb9326fe086398f7b703557b9f3ef41f270 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Apr 26 17:07:01 2021 +0200

    Allow pluto IKEv2 / ESP over TCP

    Libreswan and kernel have recently started to support transporting IKEv2
    and ESP packets over a TCP connection, described in RFC 8229, for
    traversing network middleboxes that may block IKE negotiation over UDP.

    The option is not enabled in libreswan by default, but anyway needs to
    be backed by SELinux policy in case the use was requested.
    By default, the 4500/tcp port is used.

    Resolves: rhbz#1931848
Comment 33 errata-xmlrpc 2021-11-09 19:42:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420