Bug 1000775 - SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/xtables-multi.
Summary: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-08-25 04:37 UTC by Michael Hampton
Modified: 2013-09-08 00:36 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-09-06 14:07:03 UTC
Type: Bug

Attachments (Terms of Use)
audit.log (4.61 KB, text/plain)
2013-08-26 20:28 UTC, Michael Hampton
no flags Details

Description Michael Hampton 2013-08-25 04:37:21 UTC
Description of problem:
When strongSwan is configured to automatically add firewall rules to iptables after successfully establishing a security association using "leftfirewall=yes" in ipsec.conf, this SELinux denial occurs, and the firewall rules are not added.

SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/xtables-multi.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the xtables-multi file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep _updown /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ipsec_t:s0
Target Context                system_u:object_r:iptables_exec_t:s0
Target Objects                /usr/sbin/xtables-multi [ file ]
Source                        _updown
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          underground
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           iptables-1.4.18-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-71.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     underground
Platform                      Linux underground
                              3.10.7-200.fc19.x86_64 #1 SMP Thu Aug 15 23:19:45
                              UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-08-25 00:21:35 EDT
Last Seen                     2013-08-25 00:21:35 EDT
Local ID                      0e98f056-9f25-4054-adfb-4cff0e2ba587

Raw Audit Messages
type=AVC msg=audit(1377404495.485:1982): avc:  denied  { getattr } for  pid=27991 comm="_updown" path="/usr/sbin/xtables-multi" dev="dm-1" ino=11017995 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1377404495.485:1982): arch=x86_64 syscall=stat success=no exit=EACCES a0=2092340 a1=7fffed9090f0 a2=7fffed9090f0 a3=30ee6856f0 items=0 ppid=27990 pid=27991 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=_updown exe=/usr/bin/bash subj=system_u:system_r:ipsec_t:s0 key=(null)

Hash: _updown,ipsec_t,iptables_exec_t,file,getattr

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure an IPSec connection in strongSwan ipsec.conf, using leftfirewall=yes on the local Fedora 19 machine.
2. Start strongSwan.
3. Wait for the IPSec connection to be established.

Actual results:
The security associations are established, but the necessary firewall rules are not added, and this SELinux denial occurs. IPSec traffic cannot be passed.

Expected results:
No SELinux denials occur, and strongSwan can add the firewall rules. IPSec traffic passes successfully.

Additional info:
This issue doesn't occur on CentOS 6.4.
The strongSwan website has a large number of test configuration examples, many or most of which could be used to reproduce this.

Comment 1 Daniel Walsh 2013-08-26 19:46:06 UTC
Can you attempt this in permissive mode and collect all of the AVCs?

Comment 2 Michael Hampton 2013-08-26 20:28:52 UTC
Created attachment 790687 [details]

These are the AVCs and corresponding syscalls I'm seeing after using semanage permissive -l ipsec_t and restarting strongswan.

Comment 3 Michael Hampton 2013-08-26 20:41:24 UTC
(In reply to Michael Hampton from comment #2)
> semanage permissive -l ipsec_t

Make that semanage permissive -a ipsec_t. It's been a long week already and it's only Monday.

Comment 4 Miroslav Grepl 2013-08-29 07:42:26 UTC
commit 6b78aba4c9edf94d0c1117968615351c9ad43f1e
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 29 09:42:05 2013 +0200

    Allow ipsec_t to domtrans to iptables_t

Comment 5 Fedora Update System 2013-09-03 19:56:44 UTC
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.

Comment 6 Fedora Update System 2013-09-05 01:38:10 UTC
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Michael Hampton 2013-09-06 04:39:40 UTC
I ran "semanage permissive -d ipsec_t", installed selinux-policy-3.12.1-74.1.fc19, and no longer see AVC denials. StrongSwan is updating the firewall rules correctly now. Thanks!

Comment 8 Miroslav Grepl 2013-09-06 14:07:03 UTC
Thank you for testing.

Comment 9 Fedora Update System 2013-09-08 00:36:08 UTC
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.