Bug 504397
Summary: | SELinux is preventing racoon (racoon_t) "execute" to ./p1_up_down (ipsec_conf_file_t) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael <mclroy> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | dwalsh, mgrepl, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-08-19 15:39:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 517000 |
Description
Michael
2009-06-06 04:29:17 UTC
Miroslav add /etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) Michael if you execute chcon -t bin_t -R /etc/racoon/scripts This should work. Well. Yes. It helps to the "execute" issue but it still doesn't help to run racoon: racoon: ERROR: execve("/etc/racoon/scripts/p1_up_down") failed: Permission denied setroubleshoot: SELinux is preventing racoon (racoon_t) "search" to ./scripts (bin_t). For complete SELinux messages. run sealert -l f7abfae5-b674-489d-b8c9-eb26a69a511e Source Context unconfined_u:system_r:racoon_t Target Context system_u:object_r:bin_t Target Objects ./scripts [ dir ] Source racoon Source Path /usr/sbin/racoon Port <Unknown> Host ex.flhn Source RPM Packages ipsec-tools-0.7.2-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-61.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name ex.flhn Platform Linux ex.flhn 2.6.27.24-170.2.68.fc10.i686 #1 SMP Wed May 20 23:10:16 EDT 2009 i686 i686 Alert Count 6 First Seen Mon Jun 8 18:09:10 2009 Last Seen Mon Jun 8 18:09:41 2009 Local ID f7abfae5-b674-489d-b8c9-eb26a69a511e Line Numbers Raw Audit Messages node=ex.flhn type=AVC msg=audit(1244470181.939:12623): avc: denied { search } for pid=22056 comm="racoon" name="scripts" dev=sda3 ino=169974 scontext=unconfined_u:system_r:racoon_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir node=ex.flhn type=SYSCALL msg=audit(1244470181.939:12623): arch=40000003 syscall=11 success=no exit=-13 a0=9c3708 a1=bfc56cd0 a2=9c37d0 a3=9bf210 items=0 ppid=22049 pid=22056 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="racoon" exe="/usr/sbin/racoon" subj=unconfined_u:system_r:racoon_t:s0 key=(null) I wonder anyone has racoon running in SELinux enabled environment? D'oh! Dan, the racoon policy doesn't have 'corecmd_exec_bin' macro in F10 and F11 also. Michael, you can allow for now using 1. # setenforce 0 2. your Steps to Reproduce 3. # grep avc /var/log/audit/audit.log | audit2allow -M mypol 4. # semodule -i mypol.pp 5. # setenforce 1 Michael, better and safer solution # semanage permissive -a racoon_t # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # semanage permissive -d racoon_t (In reply to comment #5) > Michael, > > better and safer solution > > # semanage permissive -a racoon_t your Steps to Reproduce > # grep avc /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > # semanage permissive -d racoon_t I hope I'll be able to collect all the rules without the permissive mode. I hope there won't be many? But how could it so happen that racoon can't run out of the box? Racoon must be untested at all. I'd better switch to Openswan though in its turn it has its own SELinux issues. Wow! This is enough: # cat racoon.te module racoon 1.0; require { type unconfined_t; type shell_exec_t; type bin_t; type racoon_exec_t; type ifconfig_exec_t; type ipsec_conf_file_t; type racoon_t; class lnk_file read; class fifo_file { read write getattr ioctl }; class dir search; class file { execute read ioctl execute_no_trans getattr relabelto }; } #============= racoon_t ============== allow racoon_t bin_t:dir search; allow racoon_t bin_t:file { read execute ioctl execute_no_trans getattr }; allow racoon_t bin_t:lnk_file read; allow racoon_t ifconfig_exec_t:file { read getattr execute execute_no_trans }; allow racoon_t ipsec_conf_file_t:file execute; allow racoon_t racoon_exec_t:file execute_no_trans; allow racoon_t self:fifo_file { read write getattr ioctl }; allow racoon_t shell_exec_t:file { read execute }; #============= unconfined_t ============== allow unconfined_t racoon_t:file relabelto; # At least I see messages now that racoon is just perhaps misconfigured: racoon: INFO: respond new phase 1 negotiation: xxx.xx.xx.20[500]<=>xxx.xxx.xxx.38[500] racoon: INFO: begin Identity Protection mode. racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth RSASIG client:RSA signatures racoon: ERROR: no suitable proposal found. racoon: ERROR: failed to get valid proposal. racoon: ERROR: failed to pre-process packet. racoon: ERROR: phase1 negotiation failed. Any suggestions BTW? Ok Miroslav add allow racoon_t self:fifo_file rw_fifo_file_perms; can_exec(racoon_t, racoon_exec_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) sysnet_exec_ifconfig(racoon_t) I see racoon miraculously working for me now: racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net) racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" racoon: INFO: xxx.xxx.xxx.20[500] used as isakmp port (fd=9) racoon: INFO: xxx.xxx.xxx.20[500] used for NAT-T racoon: INFO: xxx.xxx.xxx.20[500] used as isakmp port (fd=10) racoon: INFO: xxx.xxx.xxx.20[500] used for NAT-T racoon: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.20[500]<=>xxx.xxx.xxx.38[500] racoon: INFO: begin Identity Protection mode. racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=CO/ST=St/L=Loc/O=Private/OU=... racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=CO/ST=St/L=Loc/O=Private/OU=... racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.20[500]-xxx.xxx.xxx.38[500] spi:c94e2b7502b9ef6a:aeff67acd52fd24d racoon: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.20[500]<=>xxx.xxx.xxx.38[500] racoon: INFO: Update the generated policy : xxx.xxx.xxx.38/32[0] xxx.xxx.xxx.20/32[0] proto=any dir=in racoon: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.38[500]->xxx.xxx.xxx.20[500] spi=224646872(0xd63d6d8) racoon: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.20[500]->xxx.xxx.xxx.38[500] spi=4149321275(0xf7519e3b) racoon: ERROR: such policy does not already exist: "xxx.xxx.xxx.38/32[0] xxx.xxx.xxx.20/32[0] proto=any dir=in" racoon: ERROR: such policy does not already exist: "xxx.xxx.xxx.20/32[0] xxx.xxx.xxx.38/32[0] proto=any dir=out" Good luck! Fixed in selinux-policy-3.5.13-64.fc10 Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |