Bug 2230277

Summary: Allow ipsec to read nsfs files
Product: Red Hat Enterprise Linux 9 Reporter: Michal Ruprich <mruprich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: VERIFIED --- QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.3CC: fhrdina, lvrabec, mmalik, nknazeko, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.20-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Ruprich 2023-08-09 08:51:00 UTC 
Description of problem:
While working on bug #2215346 when all the FRR related AVCs are fixed, there is a new AVC that comes from ipsec:

type=PROCTITLE msg=audit(08/08/2023 04:02:16.354:311) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=EXECVE msg=audit(08/08/2023 04:02:16.354:311) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/08/2023 04:02:16.354:311) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5568af67dbf0 a1=0x5568af67e4d0 a2=0x5568af67bd20 a3=0x8 items=0 ppid=8124 pid=8128 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/08/2023 04:02:16.354:311) : avc:  denied  { read } for  pid=8128 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-38.1.18-1.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install version of FRR with fixed SELinux denials from bug #2215346, the version of frr and frr-selinux are available here:
https://people.redhat.com/mruprich/frr-8.3.1-13.el9.x86_64.rpm
https://people.redhat.com/mruprich/frr-selinux-8.3.1-13.el9.noarch.rpm

AND 

install libreswan package as well for ipsec.

2. Change the /etc/frr/daemons file to start some daemons for frr (probably just nhrpd but you can simply start all):

# sed -i 's/=no/=yes/gi' /etc/frr/daemons
# systemctl start frr

3. Check for AVCs:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(08/09/2023 04:40:32.381:332) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=EXECVE msg=audit(08/09/2023 04:40:32.381:332) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 04:40:32.381:332) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557ff5493bf0 a1=0x557ff54944d0 a2=0x557ff5491d20 a3=0x8 items=0 ppid=7808 pid=7812 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 04:40:32.381:332) : avc:  denied  { read } for  pid=7812 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Actual results:
AVC from ipsec

Expected results:
No AVC
Comment 1 Milos Malik 2023-08-09 09:43:03 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(08/09/2023 05:41:18.078:874) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=6505535 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=1 name=/usr/bin/sh inode=4465808 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=0 name=/sbin/ipsec inode=7508807 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_mgmt_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 05:41:18.078:874) : cwd=/ 
type=EXECVE msg=audit(08/09/2023 05:41:18.078:874) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 05:41:18.078:874) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55f1e9fb9bf0 a1=0x55f1e9fba4d0 a2=0x55f1e9fb7d20 a3=0x8 items=3 ppid=55071 pid=55077 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 05:41:18.078:874) : avc:  denied  { read } for  pid=55077 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 
----

# rpm -qa selinux\* libreswan\* frr\* | sort
frr-8.3.1-13.el9.x86_64
frr-selinux-8.3.1-13.el9.noarch
libreswan-4.9-4.el9_2.x86_64
selinux-policy-38.1.18-1.el9.noarch
selinux-policy-devel-38.1.18-1.el9.noarch
selinux-policy-targeted-38.1.18-1.el9.noarch
#
Comment 2 Milos Malik 2023-08-09 09:44:56 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(08/09/2023 05:43:35.952:882) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=6505535 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=1 name=/usr/bin/sh inode=4465808 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=0 name=/sbin/ipsec inode=7508807 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_mgmt_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 05:43:35.952:882) : cwd=/ 
type=EXECVE msg=audit(08/09/2023 05:43:35.952:882) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 05:43:35.952:882) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56169f28cbf0 a1=0x56169f28d4d0 a2=0x56169f28ad20 a3=0x8 items=3 ppid=55279 pid=55283 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 05:43:35.952:882) : avc:  denied  { read } for  pid=55283 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 
----
Comment 6 Zdenek Pytela 2023-08-11 11:07:27 UTC 
Commit to backport:
643dd51a4 (HEAD -> rawhide, upstream/rawhide) Allow ipsec read nsfs files