Bug 705077

Summary: cannot start ipsec using run_init
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: avagarwa, dwalsh, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-08 14:40:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 682670    
Attachments:
Description Flags
strace log of run_init service ipsec restart none

Description Karel Srot 2011-05-16 15:05:49 UTC 
Created attachment 499181 [details]
strace log of  run_init service ipsec restart

Description of problem:

This bug is simmilar to bug 662064 but there are some differences.

# run_init service ipsec start/restart

command does not start ipsec. This bug prevents start/restart ipsec in MLS policy (because you have to use run_init in MLS).

[root@dhcp-30-102 ~]# run_init service ipsec restart
Authenticating ksrot.
Password: 
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# ps -ef | grep pluto
root     11869  9604  0 16:47 pts/18   00:00:00 grep pluto
[root@dhcp-30-102 ~]#

BUT without run_init
 
[root@dhcp-30-102 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# ps -ef | grep pluto
root     12031     1  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog /var/log/pluto.log --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
root     12032     1  0 16:48 pts/18   00:00:00 logger -s -p daemon.error -t ipsec__plutorun
root     12035 12031  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog /var/log/pluto.log --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
root     12036 12031  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post 
root     12038 12035  0 16:48 pts/18   00:00:00 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --stderrlog
root     12066 12038  0 16:48 pts/18   00:00:00 _pluto_adns
root     12086  9604  0 16:48 pts/18   00:00:00 grep pluto
[root@dhcp-30-102 ~]#

This is not a selinux issue, since the system is in permissive mode

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-19.8.el6_0.x86_64
openswan-2.6.32-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. configure ipsec on your rhel6.1 system
e.g. 
[root@dhcp-30-102 ~]# cat /etc/ipsec.conf
version    2.0

config setup
    protostack=netkey
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

conn host-to-host
    left=10.1.0.1
    leftid=10.1.0.1
    right=10.1.0.2
    rightid=10.1.0.2
    keyexchange=ike
    esp=3des-sha1-96
    authby=secret
    auto=add
[root@dhcp-30-102 ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

10.1.0.1 10.1.0.2: PSK "my-secret-password"
[root@dhcp-30-102 ~]#

2. # service ipsec start; ps -ef | grep pluto; service ipsec stop 
just to verify ipsec can start

3.# run_init service ipsec start

  
Actual results:
ipsec services do not start


Additional info:

[root@dhcp-30-102 ~]# run_init service ipsec start
Authenticating ksrot.
Password: 
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# cat /var/log/messages

May 16 16:55:00 dhcp-30-102 kernel: NET: Registered protocol family 15
May 16 16:55:00 dhcp-30-102 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
May 16 16:55:00 dhcp-30-102 ipsec_setup: Using NETKEY(XFRM) stack
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected.
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock Hash Engine not detected.
May 16 16:55:00 dhcp-30-102 kernel: Intel AES-NI instructions are not detected.
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected.
May 16 16:55:00 dhcp-30-102 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
May 16 16:55:00 dhcp-30-102 ipsec_setup: ...Openswan IPsec started
[root@dhcp-30-102 ~]# cat /var/log/pluto.log 
Plutorun started on Mon May 16 16:55:00 CEST 2011
[root@dhcp-30-102 ~]# service ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!

strace log attached
Comment 1 Daniel Walsh 2011-06-14 12:26:29 UTC 
Will remove special tty handling from run_init. to make this work.
Comment 2 Milos Malik 2011-08-25 13:32:21 UTC 
Another consequence of the same problem:
* "service abrt-oops start" works as expected
* "run_init service abrt-oops start" doesn't
Comment 3 Miroslav Grepl 2011-09-08 14:40:00 UTC 

*** This bug has been marked as a duplicate of bug 662064 ***