Bug 1259786 - Please update the policy for NetworkManager-libreswan-1.0.6
Please update the policy for NetworkManager-libreswan-1.0.6
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-03 10:20 EDT by Lubomir Rintel
Modified: 2015-11-19 05:44 EST (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-55.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 05:44:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc log (24.46 KB, text/plain)
2015-10-06 05:20 EDT, Vladimir Benes
no flags Details
avc log (20.38 KB, text/plain)
2015-10-06 05:26 EDT, Vladimir Benes
no flags Details

  None (edit)
Description Lubomir Rintel 2015-09-03 10:20:40 EDT
The fixes based on rawhide-base:

git pull https://github.com/lkundrak/selinux-policy.git lr-libreswan

The top two commits from here https://github.com/lkundrak/selinux-policy/commits/lr-libreswan are relevant:

commit 1bfc73fd4d980c724bdf09461ac9f8e52a8d1a49
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Mon Dec 1 00:53:23 2014 +0100

    ipsec: The NM helper needs to read the SAs
    
    Introduced in version 0.995 [f13be802 core: autodetect NEVER_DEFAULT by
    searching kernel IPSec routes]:
    
    https://mail.gnome.org/archives/commits-list/2014-October/msg04443.html
    
    Denials (when activating a connection via NetworkManager):
    
    type=AVC msg=audit(1441262481.216:183): avc:  denied  { create } for  pid=4556 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.216:184): avc:  denied  { setopt } for  pid=4556 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.216:185): avc:  denied  { bind } for  pid=4556 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.216:186): avc:  denied  { nlmsg_read } for  pid=4556 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.506:189): avc:  denied  { create } for  pid=4587 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.507:190): avc:  denied  { setopt } for  pid=4587 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.507:191): avc:  denied  { bind } for  pid=4587 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
    type=AVC msg=audit(1441262481.507:192): avc:  denied  { nlmsg_read } for  pid=4587 comm="nm-libreswan-se" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket

commit 9dc7ff453b0f02548947a838b12ed19f0056ab45
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Mon Dec 1 00:50:54 2014 +0100

    ipsec: Allow ipsec management to create ptys
    
    The NM helper feeds the password to pluto via a pty to make it think it's
    interactive.
    
    Denials (when activating a connection via NetworkManager):
    
    type=AVC msg=audit(1441262480.696:173): avc:  denied  { read write } for  pid=4500 comm="nm-libreswan-se" name="ptmx" dev="devtmpfs" ino=1138 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
    type=AVC msg=audit(1441262480.696:173): avc:  denied  { open } for  pid=4500 comm="nm-libreswan-se" path="/dev/ptmx" dev="devtmpfs" ino=1138 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
    type=AVC msg=audit(1441262480.696:174): avc:  denied  { getattr } for  pid=4500 comm="nm-libreswan-se" name="/" dev="devpts" ino=1 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
    type=AVC msg=audit(1441262480.697:175): avc:  denied  { ioctl } for  pid=4500 comm="nm-libreswan-se" path="/dev/ptmx" dev="devtmpfs" ino=1138 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
    type=AVC msg=audit(1441262480.697:176): avc:  denied  { open } for  pid=4500 comm="nm-libreswan-se" path="/dev/pts/4" dev="devpts" ino=7 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Comment 3 Lukas Vrabec 2015-09-22 16:38:12 EDT
Fixes by Lubo are in fedora.
Comment 7 Vladimir Benes 2015-10-05 04:52:08 EDT
still seeing:
type=SYSCALL msg=audit(1444034486.190:1270): arch=c000003e syscall=165 success=no exit=-13 a0=440894 a1=43b461 a2=43c5ed a3=84000 items=0 ppid=1 pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1444034486.190:1270): avc:  denied  { mounton } for  pid=903 comm="ip" path="/" dev="dm-0" ino=128 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

and unable to bring up libreswan connection

test machine available upon request
Comment 8 Miroslav Grepl 2015-10-05 05:12:40 EDT
(In reply to Vladimir Benes from comment #7)
> still seeing:
> type=SYSCALL msg=audit(1444034486.190:1270): arch=c000003e syscall=165
> success=no exit=-13 a0=440894 a1=43b461 a2=43c5ed a3=84000 items=0 ppid=1
> pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip"
> subj=system_u:system_r:ifconfig_t:s0 key=(null)
> type=AVC msg=audit(1444034486.190:1270): avc:  denied  { mounton } for 
> pid=903 comm="ip" path="/" dev="dm-0" ino=128
> scontext=system_u:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:root_t:s0 tclass=dir
> 
> and unable to bring up libreswan connection
> 
> test machine available upon request

That's strange. Could you try to run it in permissive and

#ausearch -m avc,user_avc -ts recent
Comment 9 Vladimir Benes 2015-10-06 05:20 EDT
Created attachment 1080185 [details]
avc log

this probably mens it's from racoon server and not libreswan
Comment 10 Vladimir Benes 2015-10-06 05:26 EDT
Created attachment 1080186 [details]
avc log

actually this is the correct one from -56 version
Comment 11 Vladimir Benes 2015-10-06 05:43:04 EDT
moving back to ON_QA as current avc is related to ipsec-tools (and racoon server that serves libreswan tests)
Comment 14 errata-xmlrpc 2015-11-19 05:44:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.