Bug 1000775 - SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/xtables-multi.
SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-25 00:37 EDT by Michael Hampton
Modified: 2013-09-07 20:36 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-06 10:07:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (4.61 KB, text/plain)
2013-08-26 16:28 EDT, Michael Hampton
no flags Details

  None (edit)
Description Michael Hampton 2013-08-25 00:37:21 EDT
Description of problem:
When strongSwan is configured to automatically add firewall rules to iptables after successfully establishing a security association using "leftfirewall=yes" in ipsec.conf, this SELinux denial occurs, and the firewall rules are not added.

SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/xtables-multi.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the xtables-multi file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep _updown /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:ipsec_t:s0
Target Context                system_u:object_r:iptables_exec_t:s0
Target Objects                /usr/sbin/xtables-multi [ file ]
Source                        _updown
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          underground
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           iptables-1.4.18-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-71.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     underground
Platform                      Linux underground
                              3.10.7-200.fc19.x86_64 #1 SMP Thu Aug 15 23:19:45
                              UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-08-25 00:21:35 EDT
Last Seen                     2013-08-25 00:21:35 EDT
Local ID                      0e98f056-9f25-4054-adfb-4cff0e2ba587

Raw Audit Messages
type=AVC msg=audit(1377404495.485:1982): avc:  denied  { getattr } for  pid=27991 comm="_updown" path="/usr/sbin/xtables-multi" dev="dm-1" ino=11017995 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1377404495.485:1982): arch=x86_64 syscall=stat success=no exit=EACCES a0=2092340 a1=7fffed9090f0 a2=7fffed9090f0 a3=30ee6856f0 items=0 ppid=27990 pid=27991 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=_updown exe=/usr/bin/bash subj=system_u:system_r:ipsec_t:s0 key=(null)

Hash: _updown,ipsec_t,iptables_exec_t,file,getattr


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-71.fc19.noarch


How reproducible:
Always


Steps to Reproduce:
1. Configure an IPSec connection in strongSwan ipsec.conf, using leftfirewall=yes on the local Fedora 19 machine.
2. Start strongSwan.
3. Wait for the IPSec connection to be established.


Actual results:
The security associations are established, but the necessary firewall rules are not added, and this SELinux denial occurs. IPSec traffic cannot be passed.


Expected results:
No SELinux denials occur, and strongSwan can add the firewall rules. IPSec traffic passes successfully.


Additional info:
This issue doesn't occur on CentOS 6.4.
The strongSwan website has a large number of test configuration examples, many or most of which could be used to reproduce this.
Comment 1 Daniel Walsh 2013-08-26 15:46:06 EDT
Can you attempt this in permissive mode and collect all of the AVCs?
Comment 2 Michael Hampton 2013-08-26 16:28:52 EDT
Created attachment 790687 [details]
audit.log

These are the AVCs and corresponding syscalls I'm seeing after using semanage permissive -l ipsec_t and restarting strongswan.
Comment 3 Michael Hampton 2013-08-26 16:41:24 EDT
(In reply to Michael Hampton from comment #2)
> semanage permissive -l ipsec_t

Make that semanage permissive -a ipsec_t. It's been a long week already and it's only Monday.
Comment 4 Miroslav Grepl 2013-08-29 03:42:26 EDT
commit 6b78aba4c9edf94d0c1117968615351c9ad43f1e
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 29 09:42:05 2013 +0200

    Allow ipsec_t to domtrans to iptables_t
Comment 5 Fedora Update System 2013-09-03 15:56:44 EDT
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19
Comment 6 Fedora Update System 2013-09-04 21:38:10 EDT
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19
then log in and leave karma (feedback).
Comment 7 Michael Hampton 2013-09-06 00:39:40 EDT
I ran "semanage permissive -d ipsec_t", installed selinux-policy-3.12.1-74.1.fc19, and no longer see AVC denials. StrongSwan is updating the firewall rules correctly now. Thanks!
Comment 8 Miroslav Grepl 2013-09-06 10:07:03 EDT
Thank you for testing.
Comment 9 Fedora Update System 2013-09-07 20:36:08 EDT
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.