Bug 504397

Summary: SELinux is preventing racoon (racoon_t) "execute" to ./p1_up_down (ipsec_conf_file_t)
Product: [Fedora] Fedora Reporter: Michael <mclroy>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-19 15:39:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 517000    

Description Michael 2009-06-06 04:29:17 UTC
Description of problem:
racoon conflicts with SELinux: p1_up_down (ipsec_conf_file_t)

Version-Release number of selected component (if applicable):
[root@ex racoon]# rpm -qi ipsec-tools
Name        : ipsec-tools                  Relocations: (not relocatable)
Version     : 0.7.2                             Vendor: Fedora Project
Release     : 1.fc10
[root@ex racoon]# rpm -qa | grep selinux-policy-targeted
selinux-policy-targeted-3.5.13-61.fc10.noarch
[root@ex racoon]# 

How reproducible:
Constantly.
Have racoon to be up and running and a client to initiate ipsec.

Steps to Reproduce:
1. vi racoon.conf and deploy certificates
2. service racoon start
3. a client connects...
  
Actual results:
racoon: ERROR: execve("/etc/racoon/scripts/p1_up_down") failed: Permission denied
SELinux is preventing racoon (racoon_t) "execute" to ./p1_up_down (ipsec_conf_file_t). For complete SELinux messages. run sealert -l 7589...

Expected results:
Some happy ipsec communication.

Additional info:

Source Context                unconfined_u:system_r:racoon_t
Target Context                system_u:object_r:ipsec_conf_file_t
Target Objects                ./p1_up_down [ file ]
Source                        racoon
Source Path                   /usr/sbin/racoon
Port                          <Unknown>
Host                          ex.flhn
Source RPM Packages           ipsec-tools-0.7.2-1.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-61.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     ex.flhn
Platform                      Linux ex.flhn 2.6.27.24-170.2.68.fc10.i686 #1 SMP
                              Wed May 20 23:10:16 EDT 2009 i686 i686
Alert Count                   12
First Seen                    Sat Jun  6 07:36:57 2009
Last Seen                     Sat Jun  6 07:43:23 2009
Local ID                      75897d79-99c3-4441-82e0-83065b08e3f7
Line Numbers

Raw Audit Messages

node=ex.flhn type=AVC msg=audit(1244259803.338:9617): avc:  denied  { execute } for  pid=8705 comm="racoon" name="p1_up_down" dev=sda3 ino=169941 scontext=unconfined_u:system_r:racoon_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file

node=ex.flhn type=SYSCALL msg=audit(1244259803.338:9617): arch=40000003 syscall=11 success=no exit=-13 a0=15aa738 a1=bfd05970 a2=15aa800 a3=15a5668 items=0 ppid=8334 pid=8705 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="racoon" exe="/usr/sbin/racoon" subj=unconfined_u:system_r:racoon_t:s0 key=(null)

Comment 1 Daniel Walsh 2009-06-08 12:50:35 UTC
Miroslav add

/etc/racoon/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)


Michael if you execute

chcon -t bin_t -R /etc/racoon/scripts 

This should work.

Comment 2 Michael 2009-06-08 14:30:25 UTC
Well. Yes. It helps to the "execute" issue but it still doesn't help to run racoon:
racoon: ERROR: execve("/etc/racoon/scripts/p1_up_down") failed: Permission denied
setroubleshoot: SELinux is preventing racoon (racoon_t) "search" to ./scripts (bin_t). For complete SELinux messages. run sealert -l f7abfae5-b674-489d-b8c9-eb26a69a511e

Source Context                unconfined_u:system_r:racoon_t
Target Context                system_u:object_r:bin_t
Target Objects                ./scripts [ dir ]
Source                        racoon
Source Path                   /usr/sbin/racoon
Port                          <Unknown>
Host                          ex.flhn
Source RPM Packages           ipsec-tools-0.7.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-61.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     ex.flhn
Platform                      Linux ex.flhn 2.6.27.24-170.2.68.fc10.i686 #1 SMP
                              Wed May 20 23:10:16 EDT 2009 i686 i686
Alert Count                   6
First Seen                    Mon Jun  8 18:09:10 2009
Last Seen                     Mon Jun  8 18:09:41 2009
Local ID                      f7abfae5-b674-489d-b8c9-eb26a69a511e
Line Numbers                  

Raw Audit Messages            

node=ex.flhn type=AVC msg=audit(1244470181.939:12623): avc:  denied  { search } for  pid=22056 comm="racoon" name="scripts" dev=sda3 ino=169974 scontext=unconfined_u:system_r:racoon_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir

node=ex.flhn type=SYSCALL msg=audit(1244470181.939:12623): arch=40000003 syscall=11 success=no exit=-13 a0=9c3708 a1=bfc56cd0 a2=9c37d0 a3=9bf210 items=0 ppid=22049 pid=22056 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="racoon" exe="/usr/sbin/racoon" subj=unconfined_u:system_r:racoon_t:s0 key=(null)

I wonder anyone has racoon running in SELinux enabled environment? D'oh!

Comment 3 Miroslav Grepl 2009-06-08 15:16:02 UTC
Dan, 

the racoon policy doesn't have 'corecmd_exec_bin' macro in F10 and F11 also.

Comment 4 Miroslav Grepl 2009-06-08 15:28:50 UTC
Michael,

you can allow for now using

1. # setenforce 0
2. your Steps to Reproduce
3. # grep avc /var/log/audit/audit.log | audit2allow -M mypol
4. # semodule -i mypol.pp
5. # setenforce 1

Comment 5 Miroslav Grepl 2009-06-08 15:34:16 UTC
Michael, 

better and safer solution

# semanage permissive -a racoon_t
# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# semanage permissive -d racoon_t

Comment 6 Miroslav Grepl 2009-06-08 15:36:58 UTC
(In reply to comment #5)
> Michael, 
> 
> better and safer solution
> 
> # semanage permissive -a racoon_t
  your Steps to Reproduce
> # grep avc /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> # semanage permissive -d racoon_t

Comment 7 Michael 2009-06-08 17:07:51 UTC
I hope I'll be able to collect all the rules without the permissive mode. I hope there won't be many?
But how could it so happen that racoon can't run out of the box?
Racoon must be untested at all.
I'd better switch to Openswan though in its turn it has its own SELinux issues.


Wow! This is enough:

# cat racoon.te 

module racoon 1.0;

require {
	type unconfined_t;
	type shell_exec_t;
	type bin_t;
	type racoon_exec_t;
	type ifconfig_exec_t;
	type ipsec_conf_file_t;
	type racoon_t;
	class lnk_file read;
	class fifo_file { read write getattr ioctl };
	class dir search;
	class file { execute read ioctl execute_no_trans getattr relabelto };
}

#============= racoon_t ==============
allow racoon_t bin_t:dir search;
allow racoon_t bin_t:file { read execute ioctl execute_no_trans getattr };
allow racoon_t bin_t:lnk_file read;
allow racoon_t ifconfig_exec_t:file { read getattr execute execute_no_trans };
allow racoon_t ipsec_conf_file_t:file execute;
allow racoon_t racoon_exec_t:file execute_no_trans;
allow racoon_t self:fifo_file { read write getattr ioctl };
allow racoon_t shell_exec_t:file { read execute };

#============= unconfined_t ==============
allow unconfined_t racoon_t:file relabelto;
# 


At least I see messages now that racoon is just perhaps misconfigured:

racoon: INFO: respond new phase 1 negotiation: xxx.xx.xx.20[500]<=>xxx.xxx.xxx.38[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth RSASIG client:RSA signatures
racoon: ERROR: no suitable proposal found.
racoon: ERROR: failed to get valid proposal.
racoon: ERROR: failed to pre-process packet.
racoon: ERROR: phase1 negotiation failed.

Any suggestions BTW?

Comment 8 Daniel Walsh 2009-06-08 17:37:55 UTC
Ok Miroslav add

allow racoon_t self:fifo_file rw_fifo_file_perms;

can_exec(racoon_t, racoon_exec_t)

corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)

sysnet_exec_ifconfig(racoon_t)

Comment 9 Michael 2009-06-08 17:44:08 UTC
I see racoon miraculously working for me now:

racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
racoon: INFO: xxx.xxx.xxx.20[500] used as isakmp port (fd=9)
racoon: INFO: xxx.xxx.xxx.20[500] used for NAT-T
racoon: INFO: xxx.xxx.xxx.20[500] used as isakmp port (fd=10)
racoon: INFO: xxx.xxx.xxx.20[500] used for NAT-T

racoon: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.20[500]<=>xxx.xxx.xxx.38[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=CO/ST=St/L=Loc/O=Private/OU=...
racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=CO/ST=St/L=Loc/O=Private/OU=...
racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.20[500]-xxx.xxx.xxx.38[500] spi:c94e2b7502b9ef6a:aeff67acd52fd24d
racoon: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.20[500]<=>xxx.xxx.xxx.38[500]
racoon: INFO: Update the generated policy : xxx.xxx.xxx.38/32[0] xxx.xxx.xxx.20/32[0] proto=any dir=in
racoon: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.38[500]->xxx.xxx.xxx.20[500] spi=224646872(0xd63d6d8)
racoon: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.20[500]->xxx.xxx.xxx.38[500] spi=4149321275(0xf7519e3b)
racoon: ERROR: such policy does not already exist: "xxx.xxx.xxx.38/32[0] xxx.xxx.xxx.20/32[0] proto=any dir=in"
racoon: ERROR: such policy does not already exist: "xxx.xxx.xxx.20/32[0] xxx.xxx.xxx.38/32[0] proto=any dir=out"

Good luck!

Comment 10 Miroslav Grepl 2009-06-11 11:16:08 UTC
Fixed in selinux-policy-3.5.13-64.fc10

Comment 11 Miroslav Grepl 2009-08-19 15:39:45 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.