Bug 453236

Summary: selinux-policy-targeted-3.3.1-69.fc9 breaks vpnc
Product: [Fedora] Fedora Reporter: Rob Riggs <rob+redhat>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: low    
Version: 9CC: fbiete, jcm, jmorris, rjones
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:04:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Riggs 2008-06-28 03:55:41 UTC
Description of problem:
After latest update to selinux-policy-targeted-3.3.1-69.fc9.noarch, vpnc fails
with the following messages:

/etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied
/etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 133: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 134: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 135: /sbin/ip: Permission denied
VPNC started in background (pid: 5785)...

The network connection is unusable at that point.

Additional trouble report found here:
http://translate.google.com/translate?hl=en&sl=de&u=http://www.fedoraforum.de/viewtopic.php%3Ff%3D5%26p%3D87733&sa=X&oi=translate&resnum=1&ct=result


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-69.fc9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install the selinux-policy-targeted-3.3.1-69.fc9.noarch update
2. Run Fedora in enforcing, targeted mode
3. Connect to a VPN via VPNC
  
Actual results:
As described above.

Expected results:
No error messages and a working VPN connection.

Additional info:
I downgraded to
selinux-policy-targeted-3.3.1-42.fc9.noarch.rpm and
selinux-policy-3.3.1-42.fc9.noarch.rpm
and VPNC works again.

Comment 1 Francisco Miguel Biete 2008-06-29 15:04:08 UTC
I find the same problem. VPNC connect but tun0 doesn't get up so the connection is 
unusable.

----------------
[root@localhost ~]# rpm -q selinux-policy selinux-policy-targeted vpnc
selinux-policy-3.3.1-69.fc9.noarch
selinux-policy-targeted-3.3.1-69.fc9.noarch
vpnc-0.5.1-5.fc9.i386

[root@localhost ~]# /usr/sbin/vpnc /etc/vpnc/gtt.conf                 
Connect Banner:
| Esta Accediendo Vd. a una zona restringida. Su tr�fico quedar� auditado.

/etc/vpnc/vpnc-script: line 99: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 100: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 104: /sbin/ifconfig: Permission denied
/etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 123: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 124: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 142: /sbin/ip: Permission denied
/etc/vpnc/vpnc-script: line 143: /sbin/ip: Permission denied
VPNC started in background (pid: 9040)...

[root@localhost ~]# ifconfig | grep -i tun0
[root@localhost ~]# ifconfig | grep -i tun
[root@localhost ~]#

[root@localhost ~]# sudo /usr/sbin/vpnc-disconnect
Terminating vpnc daemon (pid: 9040)

SELINUX IN PERMISSIVE MODE
[root@localhost ~]# /usr/sbin/vpnc /etc/vpnc/gtt.conf
Connect Banner:
| Esta Accediendo Vd. a una zona restringida. Su tr�fico quedar� auditado.

VPNC started in background (pid: 17412)...
[root@localhost ~]# ifconfig | grep -i tun0
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
[root@localhost ~]#


So, it seem to be selinux blocking VPNC, but not new messages appears with
ausearch -m avc

Comment 2 Jon Masters 2008-06-30 10:33:29 UTC
*** Bug 453360 has been marked as a duplicate of this bug. ***

Comment 3 Jon Masters 2008-06-30 10:42:27 UTC
Some data points:

* Starting via the NetworkManager wrapper works correctly (reads configuration
from standard input, doesn't use /etc/vpnc/vpnc-script). Context of running VPNC
instance is as follows:

system_u:system_r:vpnc_t:s0

* Starting via command line on any kind of console yields this context:

unconfined_u:unconfined_r:vpnc_t:s0-s0:c0.c1023

However, the targeted policy (system/unconfied.te) does contain:

optional_policy(`
        vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t
unconfined_tty_device_t })
')

Which results in:

interface(`vpn_run',`
        gen_require(`
                type vpnc_t;
        ')

        vpn_domtrans($1)
        role $2 types vpnc_t;
        allow vpnc_t $3:chr_file rw_term_perms;
        sysnet_run_ifconfig(vpnc_t, $2, $3)
')

And as far as I can see, this specifically covers the case that we're in an
confined context when we call VPNC. Some part of the policy is disallowing the
calls to the sysnetwork bits, but even after hours of reading through SE Linux
policy documentation and the policy we're shipping, I have yet to figure it out.
I will keep at it later on tonight when I've got some free time.

Jon.

Comment 4 Jon Masters 2008-06-30 10:56:55 UTC
Ah, looking more closely at the sysnetwork policy, we can see:

system/sysnetwork.te:39: role system_r types ifconfig_t;

Which is why VPNC is specifically allowed to run when started via
NetworkManager. Conversely, however, there is no such similar role statement in
the unconfined policy. I believe (and so does audit2allow also) that the
following addition to system/unconfined.te would at least work around this
problem (I will now build a test package):

role unconfined_r types ifconfig_t;

Jon.

Comment 5 Jon Masters 2008-06-30 11:05:20 UTC
Actually, that's going to be too loose as a policy I guess. I'll wait for a
comment from Dan as to the best action :)

Comment 6 Daniel Walsh 2008-06-30 17:13:29 UTC
That is the exact fix, and this fix is in 

Fixed in selinux-policy-3.3.1-72.fc9.noarch

Which is in testing.

Comment 7 Jon Masters 2008-06-30 17:28:20 UTC
Help me understand then, this will allow unconfined users in general to have
access to ifconfig, right? So long as that's desired, this would work.

I saw the build in koji, but you did it so quickly after the breakage that I
admit I assumed it was unrelated. Will test it.

Jon.

Comment 8 Jon Masters 2008-06-30 17:43:08 UTC
(there was nothing in the koji visible RPM build logs to suggest that -72 was
going to fix this particular policy problem - that's why I discounted it).

Comment 9 Jon Masters 2008-06-30 17:50:49 UTC
Confirmed that this fixes the problem, voting for it in bodhi - suggest others
test this fix too and then visit http://bodhi.fedoraproject.org/ to vote that
this package get good enough karma for release.

Comment 10 Daniel Walsh 2008-06-30 17:55:55 UTC
vpnc/ifconfig recreate file /etc/resolv.conf.  So when you run these tools you
need to transition to create the files with the correct context.

So unconfined_t->vpnc_exec_t->vpnc_t transition is needed to make sure
networking labels files correctly.

The bug was a RBAC bug, Before Fedora 9 unconfined_u ran in system_r now he runs
in unconfined_r, but we had a rule that says
unconfined_t->vpnc_exec_t->vpnc_t->ifconfig_exec_t->ifconfig_t

But there was no role that says that unconfined_u:unconfined_r:ifconfig_t is a
valid context.  I had not added a rule that says the ifconfig_t can be run by
the unconfined_r role.  

I usually put lots of fixes into an update and sometimes miss putting some of
them in the change log.  Sorry about that.
 
If you run vpnc from NetworkManager this all works correctly because
NetworkManager runs as system_r and that is valid for ifconfig_t.  So only
people who ran vpnc directly as root are seeing this bug.

Comment 11 Jon Masters 2008-06-30 18:18:20 UTC
Thanks for the explanation :) I had deduced exactly what you just said after
many hours of documentation reading last night...had an iffy stomach so couldn't
sleep anyway ;) Maybe there's hope for me figuring out selinux-policy!

Comment 12 Joel Andres Granados 2008-06-30 20:39:40 UTC
I had to install selinux-policy-targeted in addition to selinux-policy.  Just
posting it here in case someone misses that detail.

Comment 13 Daniel Walsh 2008-11-17 22:04:52 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.