Bug 1287182 - SELinux policy (daemons) changes required for package: libreswan
SELinux policy (daemons) changes required for package: libreswan
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.7
All Linux
high Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: TestBlocker, ZStream
Depends On: 1260471 1272437
Blocks: 1284759 1289019
  Show dependency treegraph
 
Reported: 2015-12-01 12:23 EST by Lubomir Rintel
Modified: 2016-05-10 16:03 EDT (History)
16 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-284.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1272437
: 1289019 (view as bug list)
Environment:
Last Closed: 2016-05-10 16:03:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Vera Budikova 2015-12-01 12:44:51 EST
Libreswan does not work because of selinux avc denials. I was not able to verify bug 1284759.
Comment 4 Milos Malik 2015-12-02 02:21:42 EST
Which version of selinux-policy was installed on your machine?
Comment 5 Vera Budikova 2015-12-02 02:39:07 EST
selinux-policy-3.7.19-279.el6_7.7
Comment 6 Vera Budikova 2015-12-02 03:11:40 EST
Package selinux-policy-3.7.19-283.el6 returns:
time->Wed Dec  2 09:04:33 2015
type=SYSCALL msg=audit(1449043473.803:43): arch=c000003e syscall=268 success=no exit=-13 a0=ffffffffffffff9c a1=f9c0f0 a2=1c0 a3=0 items=0 ppid=4421 pid=4428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043473.803:43): avc:  denied  { setattr } for  pid=4428 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:04:35 2015
type=SYSCALL msg=audit(1449043475.806:44): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=0 items=0 ppid=4869 pid=4870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449043475.806:44): avc:  denied  { create } for  pid=4870 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
Comment 7 Milos Malik 2015-12-02 03:16:58 EST
Based on "success=no", it's clear that AVCs were triggered in enforcing mode. Could you re-run the same scenario in permissive mode (after setenforce 0)? Please collect the AVCs triggered in permissive mode and attach them here. Thanks
Comment 8 Tuomo Soini 2015-12-02 03:21:31 EST
What's the mode of /var/run/pluto dir when installed from package? It should be 0700,root,root - if mode is correct there is no avc from that one.

Second one is caused by first problem.
Comment 9 Vera Budikova 2015-12-02 03:56:21 EST
Milos Malik:

time->Wed Dec  2 09:46:16 2015
type=SYSCALL msg=audit(1449045976.694:99): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=13500f0 a2=1c0 a3=0 items=0 ppid=6385 pid=6392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/bin/chmod" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045976.694:99): avc:  denied  { setattr } for  pid=6392 comm="chmod" name="pluto" dev=dm-0 ino=525613 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.730:100): arch=c000003e syscall=41 success=yes exit=0 a0=10 a1=2 a2=0 a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.730:100): avc:  denied  { create } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
----
time->Wed Dec  2 09:46:18 2015
type=SYSCALL msg=audit(1449045978.731:101): arch=c000003e syscall=44 success=yes exit=28 a0=0 a1=7fffe0c09750 a2=1c a3=0 items=0 ppid=6834 pid=6835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="addconn" exe="/usr/libexec/ipsec/addconn" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1449045978.731:101): avc:  denied  { nlmsg_read } for  pid=6835 comm="addconn" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket


Tuomo Soini:
drwx------. 2 root      root      4096 Dec  2 09:46 pluto
Comment 10 Ondrej Moriš 2015-12-02 09:15:21 EST
(In reply to Vera Budikova from comment #2)
> Libreswan does not work because of selinux avc denials. I was not able to
> verify bug 1284759.

Could you please turn selinux into permissive mode and execute at least some important tests to make sure there are no problems in NM-openswan? Also, it is important to test NM-openswan with both:

a) openswan (available in rhel6 already)
b) libreswan (available via ER#21587)
Comment 12 Vera Budikova 2015-12-02 12:06:13 EST
a) No AVCs with openswan in permissive mode:
NetworkManager-openswan-0.8.0-9.el6_7.x86_64
openswan-2.6.32-37.el6.x86_64

b) You can see AVCs with libreswan in comment9.
Comment 13 Ondrej Moriš 2015-12-02 12:31:39 EST
(In reply to Vera Budikova from comment #12)
> a) No AVCs with openswan in permissive mode:
> NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> openswan-2.6.32-37.el6.x86_64
> 
> b) You can see AVCs with libreswan in comment9.

Good news indeed, thank you! We will have selinux-policy fix available tomorrow, hopefully.
Comment 14 Tuomo Soini 2015-12-02 14:37:30 EST
Paul confirmed spec has:

%attr(0755,root,root) %dir %{_localstatedir}/run/pluto

So there is a packaging error too.
Comment 15 Paul Wouters 2015-12-02 14:39:38 EST
(In reply to Ondrej Moriš from comment #13)
> (In reply to Vera Budikova from comment #12)
> > a) No AVCs with openswan in permissive mode:
> > NetworkManager-openswan-0.8.0-9.el6_7.x86_64
> > openswan-2.6.32-37.el6.x86_64
> > 
> > b) You can see AVCs with libreswan in comment9.
> 
> Good news indeed, thank you! We will have selinux-policy fix available
> tomorrow, hopefully.

should we file a bug to make the dir 0700 ?
Comment 16 Tuomo Soini 2015-12-02 14:43:08 EST
Yes, that should be changed because when ipsec starts up, it runs setup which changes mode of /var/run/pluto to 0700. And that causes totally unnecessary rpm verify error for directory mode.
Comment 17 Ondrej Moriš 2015-12-03 06:25:43 EST
(In reply to Paul Wouters from comment #15)
> should we file a bug to make the dir 0700 ?

We can fix that, but it will solve only failed rpm --verify, I suggest to live without it at the moment, we would need 6.7.z clone, acks and batch update 4 deadline for QA is approaching (12-8)., Anyway, it will not solve setattr AVC which is caused by selinux-policy because ipsec_mgmt_t cannot call setattr_t on dir AFAIK.

(In reply to Tuomo Soini from comment #16)
> Yes, that should be changed because when ipsec starts up, it runs setup
> which changes mode of /var/run/pluto to 0700. And that causes totally
> unnecessary rpm verify error for directory mode.

See above. Second AVC is not caused by the first one, really. There are actually two chmod calls during ipsec start, first is from ipsec initscript - it succeeds (because selinux-policy allows it), second is in /usr/libexec/ipsec/setup and it fails because selinux-policy denies it (see above). Basically, one of those two is redundant here but it is not a problem at all.

We definitely need to fix all AVC mentioned in c#9 in selinux-policy  at this moment.
Comment 18 Tuomo Soini 2015-12-03 06:29:28 EST
I have been running libreswan for years with selinux enabled on rhel6 based platform. No, if that mode is fixed selinux change is not needed because chmod doesn't do anything if mode is already correct.
Comment 19 Ondrej Moriš 2015-12-03 08:12:24 EST
OK then, let me correct myself, changing specfile _will fix_ the first AVC (setattr) but we still need to correct selinux-policy as well, because someone might remove /var/run/pluto (for whatever reason). ipsec service can handle that my creating it again and then it calls chmod 700 which would be rejected by selinux-policy. Thus I am proposing the following:

  * let's correct specfile (BZ#1288086) [not necessarily in 6.7.4]
  * let's correct all AVC from c#9 in selinux-policy:

    allow ipsec_mgmt_t ipsec_var_run_t:dir setattr;
    allow ipsec_mgmt_t self:netlink_route_socket { create nlmsg_read };
    allow ipsec_mgmt_t self:netlink_route_sockettime->Wed nlmsg_read;

    (afaik)
Comment 29 errata-xmlrpc 2016-05-10 16:03:01 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.