Bug 502302

Summary: selinux avc on vpnc connect
Product: [Fedora] Fedora EPEL Reporter: David O'Brien <daobrien>
Component: vpncAssignee: Huzaifa S. Sidhpurwala <huzaifas>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: dwalsh, mastahnke, tmraz, tremble, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: vpnc-0.5.3-8.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-28 05:37:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David O'Brien 2009-05-23 11:08:54 UTC 
Description of problem:


Summary:
I get the following when I use vpnc to connect to the RH vpn from a RHEL 5.2 Server VM. I get a vpn connection ok, but I don't know if it's a "complete" connection. i.e., is this avc preventing a fully operational vpn connection?

SELinux is preventing ip (ifconfig_t) "read write" to socket (vpnc_t).

Detailed Description:

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:ifconfig_t
Target Context                user_u:system_r:vpnc_t
Target Objects                socket [ udp_socket ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          alexandria.australia.com
Source RPM Packages           iproute-2.6.18-9.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     alexandria.australia.com
Platform                      Linux alexandria.australia.com 2.6.18-128.1.10.el5
                              #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686
Alert Count                   90
First Seen                    Thu 12 Jun 2008 05:11:42 AM EST
Last Seen                     Sun 24 May 2009 08:14:26 PM EST
Local ID                      c6eb2189-1084-4f88-a2c3-5920cfb2480a
Line Numbers                  

Raw Audit Messages            

host=alexandria.australia.com type=AVC msg=audit(1243160066.982:107): avc:  denied  { read write } for  pid=3138 comm="ip" path="socket:[18966]" dev=sockfs ino=18966 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:vpnc_t:s0 tclass=udp_socket

host=alexandria.australia.com type=SYSCALL msg=audit(1243160066.982:107): arch=40000003 syscall=11 success=yes exit=0 a0=91d72c0 a1=91d7168 a2=91c94a8 a3=0 items=0 ppid=3116 pid=3138 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=user_u:system_r:ifconfig_t:s0 key=(null)




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2009-05-25 11:38:47 UTC 
This is a leaked file descriptor in vpnc.  vpnc should call 

fcntl(socket, F_SETFD, FD_CLOEXEC) 

On all open file descriptors before executing any jobs.

You can allow this for now by executing

# grep vpnc /var/log/audit/audit.log | audit2allow -M myvpnc
# semodule -i myvpnc.pp

This will build a custom policy module and install it allowing the access, and eliminate the AVC.
Comment 2 David O'Brien 2009-05-29 07:37:18 UTC 
Thanks Dan. New module works fine.

David
Comment 3 Huzaifa S. Sidhpurwala 2010-01-05 11:10:13 UTC 
Hi,
https://admin.fedoraproject.org/updates/vpnc-0.5.3-6.el5
Can you test this and let me know if it clears the selinux errors.
Comment 4 David O'Brien 2010-01-05 12:22:13 UTC 
I'd like to, but...
- I no longer have RHEL 5.2 installed, only 5.4
- I checked the epel repo and there doesn't seem to be any updates there
- The vpnc build that I have is 0.4.0-2.el5 (quite old)

Any other volunteers for testing (me not being very technical)? Sorry.
Comment 5 Huzaifa S. Sidhpurwala 2010-01-05 13:49:48 UTC 
Hi David,
You dont need 5.2 , 5.4 will do just fine.
You can go the link i posted and download the rpm and test if you want :)

Thanks.
Comment 6 Mark Chappell 2010-09-24 15:46:42 UTC 
David, 

For reference, at that point the update was in the testing repository. "yum update --enablerepo=epel-testing vpnc" would have allowed you to install the updated version.

vpnc-0.5.3-6.el5 is now in the stable repository, any chance you could confirm that this bug has been fixed?
Comment 7 David O'Brien 2010-09-28 04:37:53 UTC 
Hi Mark

I'm currently using:
vpnc-0.5.3-8.el5
rhel 5.4 with 2.6.18-164.11.1.el5

and I'm not getting any of the avc denials I was seeing before. (This is on a physical box, btw, not the VM I was using before.)

thanks
Comment 8 Mark Chappell 2010-09-28 05:37:19 UTC 
Thanks David, in that case I'll close this ticket off.  The VM/Physical box shouldn't make a difference if it's the guest that gave the AVC last time.