Description of problem: When strongSwan is configured to automatically add firewall rules to iptables after successfully establishing a security association using "leftfirewall=yes" in ipsec.conf, this SELinux denial occurs, and the firewall rules are not added. SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/xtables-multi. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed getattr access on the xtables-multi file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep _updown /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context system_u:object_r:iptables_exec_t:s0 Target Objects /usr/sbin/xtables-multi [ file ] Source _updown Source Path /usr/bin/bash Port <Unknown> Host underground Source RPM Packages bash-4.2.45-1.fc19.x86_64 Target RPM Packages iptables-1.4.18-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-71.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name underground Platform Linux underground 3.10.7-200.fc19.x86_64 #1 SMP Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-08-25 00:21:35 EDT Last Seen 2013-08-25 00:21:35 EDT Local ID 0e98f056-9f25-4054-adfb-4cff0e2ba587 Raw Audit Messages type=AVC msg=audit(1377404495.485:1982): avc: denied { getattr } for pid=27991 comm="_updown" path="/usr/sbin/xtables-multi" dev="dm-1" ino=11017995 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=SYSCALL msg=audit(1377404495.485:1982): arch=x86_64 syscall=stat success=no exit=EACCES a0=2092340 a1=7fffed9090f0 a2=7fffed9090f0 a3=30ee6856f0 items=0 ppid=27990 pid=27991 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=_updown exe=/usr/bin/bash subj=system_u:system_r:ipsec_t:s0 key=(null) Hash: _updown,ipsec_t,iptables_exec_t,file,getattr Version-Release number of selected component (if applicable): selinux-policy-3.12.1-71.fc19.noarch How reproducible: Always Steps to Reproduce: 1. Configure an IPSec connection in strongSwan ipsec.conf, using leftfirewall=yes on the local Fedora 19 machine. 2. Start strongSwan. 3. Wait for the IPSec connection to be established. Actual results: The security associations are established, but the necessary firewall rules are not added, and this SELinux denial occurs. IPSec traffic cannot be passed. Expected results: No SELinux denials occur, and strongSwan can add the firewall rules. IPSec traffic passes successfully. Additional info: This issue doesn't occur on CentOS 6.4. The strongSwan website has a large number of test configuration examples, many or most of which could be used to reproduce this.
Can you attempt this in permissive mode and collect all of the AVCs?
Created attachment 790687 [details] audit.log These are the AVCs and corresponding syscalls I'm seeing after using semanage permissive -l ipsec_t and restarting strongswan.
(In reply to Michael Hampton from comment #2) > semanage permissive -l ipsec_t Make that semanage permissive -a ipsec_t. It's been a long week already and it's only Monday.
commit 6b78aba4c9edf94d0c1117968615351c9ad43f1e Author: Miroslav Grepl <mgrepl> Date: Thu Aug 29 09:42:05 2013 +0200 Allow ipsec_t to domtrans to iptables_t
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19
Package selinux-policy-3.12.1-74.1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19 then log in and leave karma (feedback).
I ran "semanage permissive -d ipsec_t", installed selinux-policy-3.12.1-74.1.fc19, and no longer see AVC denials. StrongSwan is updating the firewall rules correctly now. Thanks!
Thank you for testing.
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.