Bug 207304

Summary: [FC6 regression] SELinux breaks openswan
Product: [Fedora] Fedora Reporter: Stefan Becker <chemobejk>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-09 14:08:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log from /var/log/messages none

Description Stefan Becker 2006-09-20 15:52:18 UTC 
Description of problem:

openswan can setup IPSec connections but then is no longer allowed to send
network packets.

Version-Release number of selected component (if applicable):

selinux-policy-2.3.13-5
selinux-policy-targeted-2.3.13-5
openswan-2.4.5-2.1

How reproducible: Always


Steps to Reproduce:
1. service ipsec start
2. ipsec auto --up roadwarrior (in my configuration)
3.
  
Actual results:

# service ipsec start
Starting IPsec:  Starting Openswan IPsec 2.4.5...
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/key/af_key.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/ah4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/esp4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/ipcomp.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/tunnel4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/xfrm4_tunnel.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko
FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko): No such device
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/md5.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/des.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/aes.ko
                                                           [  OK  ]
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=110
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using 3: no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
003 ERROR: "roadwarrior" #2: sendto on ath0 to 192.168.3.1:500 failed in
STATE_QUICK_I1. Errno 11: Resource temporarily unavailable
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7e8145d3 <0x1ae03597 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Expected results:

# setenforce 0
# service ipsec start
Starting IPsec:  Starting Openswan IPsec 2.4.5...
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/key/af_key.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/xfrm4_tunnel.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko
FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko): No such device
                                                           [  OK  ]
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=110
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using 3: no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7e8145d4 <0xa0a59120 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Additional info: See attached audit messages.
Comment 1 Stefan Becker 2006-09-20 15:52:18 UTC 
Created attachment 136751 [details]
audit log from /var/log/messages
Comment 2 Stefan Becker 2006-09-23 10:05:32 UTC 
Forgot to mention that this worked OK on FC5...
Comment 3 Daniel Walsh 2006-09-23 11:03:23 UTC 
For now you can build a loadable policy module using audit2allow this access

audit2allow -M local < /var/log/messages

Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute 

semodule -i local.pp
Comment 4 Stefan Becker 2006-09-23 16:05:55 UTC 
Yep, that helps...
Comment 5 Daniel Walsh 2006-09-28 18:43:41 UTC 
Fixed in selinux-policy-2.3.16-6
Comment 6 Stefan Becker 2006-10-01 10:30:01 UTC 
Verified with selinux-policy-2.3.16-9
Comment 7 Matthew Miller 2007-04-06 18:01:19 UTC 
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]