1287182 – SELinux policy (daemons) changes required for package: libreswan

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1287182 - SELinux policy (daemons) changes required for package: libreswan

Summary: SELinux policy (daemons) changes required for package: libreswan

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1260471 1272437
Blocks:	1284759 1289019
TreeView+	depends on / blocked

Reported:	2015-12-01 17:23 UTC by Lubomir Rintel
Modified:	2016-05-10 20:03 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.7.19-284.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1272437
Clones:	1289019 (view as bug list)
Environment:
Last Closed:	2016-05-10 20:03:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0763	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2016-05-10 22:33:46 UTC

Comment 2 Vera Budikova 2015-12-01 17:44:51 UTC

Libreswan does not work because of selinux avc denials. I was not able to verify bug 1284759.

Comment 4 Milos Malik 2015-12-02 07:21:42 UTC

Which version of selinux-policy was installed on your machine?

Comment 5 Vera Budikova 2015-12-02 07:39:07 UTC

selinux-policy-3.7.19-279.el6_7.7

Comment 6 Vera Budikova 2015-12-02 08:11:40 UTC

Package selinux-policy-3.7.19-283.el6 returns:
time->Wed Dec  2 09:04:33 2015
type=SYSCALL msg=audit(1449043473.803:43): arch=c000003e syscall=268 success=no exit=-13 a0=ffffffffffffff9c a1=f9c0f0 a2=1c0 a3=0 items=0 ppid=4421 pid=4428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043473.803:43): avc:  denied  { setattr } for  pid=4428 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:04:35 2015
type=SYSCALL msg=audit(1449043475.806:44): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=0 items=0 ppid=4869 pid=4870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043475.806:44): avc:  denied  { create } for  pid=4870 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket

Comment 7 Milos Malik 2015-12-02 08:16:58 UTC

Based on "success=no", it's clear that AVCs were triggered in enforcing mode. Could you re-run the same scenario in permissive mode (after setenforce 0)? Please collect the AVCs triggered in permissive mode and attach them here. Thanks

Comment 8 Tuomo Soini 2015-12-02 08:21:31 UTC

What's the mode of /var/run/pluto dir when installed from package? It should be 0700,root,root - if mode is correct there is no avc from that one.

Second one is caused by first problem.

Comment 9 Vera Budikova 2015-12-02 08:56:21 UTC

Milos Malik:

time->Wed Dec  2 09:46:16 2015
type=SYSCALL msg=audit(1449045976.694:99): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=13500f0 a2=1c0 a3=0 items=0 ppid=6385 pid=6392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045976.694:99): avc:  denied  { setattr } for  pid=6392 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.730:100): arch=c000003e syscall=41 success=yes exit=0 a0=10 a1=2 a2=0 a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.730:100): avc:  denied  { create } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.731:101): arch=c000003e syscall=44 success=yes exit=28 a0=0 a1=7fffe0c09750 a2=1c a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.731:101): avc:  denied  { nlmsg_read } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket


Tuomo Soini:
drwx------. 2 root      root      4096 Dec  2 09:46 pluto

Comment 10 Ondrej Moriš 2015-12-02 14:15:21 UTC

(In reply to Vera Budikova from comment #2)
> Libreswan does not work because of selinux avc denials. I was not able to
> verify bug 1284759.

Could you please turn selinux into permissive mode and execute at least some important tests to make sure there are no problems in NM-openswan? Also, it is important to test NM-openswan with both:

a) openswan (available in rhel6 already)
b) libreswan (available via ER#21587)

Comment 12 Vera Budikova 2015-12-02 17:06:13 UTC

a) No AVCs with openswan in permissive mode:
NetworkManager-openswan-0.8.0-9.el6_7.x86_64
openswan-2.6.32-37.el6.x86_64

b) You can see AVCs with libreswan in comment9.

Comment 13 Ondrej Moriš 2015-12-02 17:31:39 UTC

(In reply to Vera Budikova from comment #12)
> a) No AVCs with openswan in permissive mode:
> NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> openswan-2.6.32-37.el6.x86_64
> 
> b) You can see AVCs with libreswan in comment9.

Good news indeed, thank you! We will have selinux-policy fix available tomorrow, hopefully.

Comment 14 Tuomo Soini 2015-12-02 19:37:30 UTC

Paul confirmed spec has:

%attr(0755,root,root) %dir %{_localstatedir}/run/pluto

So there is a packaging error too.

Comment 15 Paul Wouters 2015-12-02 19:39:38 UTC

(In reply to Ondrej Moriš from comment #13)
> (In reply to Vera Budikova from comment #12)
> > a) No AVCs with openswan in permissive mode:
> > NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> > openswan-2.6.32-37.el6.x86_64
> > 
> > b) You can see AVCs with libreswan in comment9.
> 
> Good news indeed, thank you! We will have selinux-policy fix available
> tomorrow, hopefully.

should we file a bug to make the dir 0700 ?

Comment 16 Tuomo Soini 2015-12-02 19:43:08 UTC

Yes, that should be changed because when ipsec starts up, it runs setup which changes mode of /var/run/pluto to 0700. And that causes totally unnecessary rpm verify error for directory mode.

Comment 17 Ondrej Moriš 2015-12-03 11:25:43 UTC

(In reply to Paul Wouters from comment #15)
> should we file a bug to make the dir 0700 ?

We can fix that, but it will solve only failed rpm --verify, I suggest to live without it at the moment, we would need 6.7.z clone, acks and batch update 4 deadline for QA is approaching (12-8)., Anyway, it will not solve setattr AVC which is caused by selinux-policy because ipsec_mgmt_t cannot call setattr_t on dir AFAIK.

(In reply to Tuomo Soini from comment #16)
> Yes, that should be changed because when ipsec starts up, it runs setup
> which changes mode of /var/run/pluto to 0700. And that causes totally
> unnecessary rpm verify error for directory mode.

See above. Second AVC is not caused by the first one, really. There are actually two chmod calls during ipsec start, first is from ipsec initscript - it succeeds (because selinux-policy allows it), second is in /usr/libexec/ipsec/setup and it fails because selinux-policy denies it (see above). Basically, one of those two is redundant here but it is not a problem at all.

We definitely need to fix all AVC mentioned in c#9 in selinux-policy  at this moment.

Comment 18 Tuomo Soini 2015-12-03 11:29:28 UTC

I have been running libreswan for years with selinux enabled on rhel6 based platform. No, if that mode is fixed selinux change is not needed because chmod doesn't do anything if mode is already correct.

Comment 19 Ondrej Moriš 2015-12-03 13:12:24 UTC

OK then, let me correct myself, changing specfile _will fix_ the first AVC (setattr) but we still need to correct selinux-policy as well, because someone might remove /var/run/pluto (for whatever reason). ipsec service can handle that my creating it again and then it calls chmod 700 which would be rejected by selinux-policy. Thus I am proposing the following:

  * let's correct specfile (BZ#1288086) [not necessarily in 6.7.4]
  * let's correct all AVC from c#9 in selinux-policy:

    allow ipsec_mgmt_t ipsec_var_run_t:dir setattr;
    allow ipsec_mgmt_t self:netlink_route_socket { create nlmsg_read };
    allow ipsec_mgmt_t self:netlink_route_sockettime->Wed nlmsg_read;

    (afaik)

Comment 29 errata-xmlrpc 2016-05-10 20:03:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.