Hide Forgot
Description of problem: The following AVC denial were reported while starting ipsec. The issue was seen only on ppc64, but it still might be not architecture related. It was a slower virtual machine, that could have an effect on the result too. ---- time->Sat Dec 3 09:56:56 2016 type=SOCKETCALL msg=audit(1480777016.641:1439): nargs=3 a0=2 a1=3 a2=ff type=SYSCALL msg=audit(1480777016.641:1439): arch=80000015 syscall=102 success=no exit=-13 a0=1 a1=ffff2fede10 a2=ff a3=fffffffffefefeff items=0 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1480777016.641:1439): avc: denied { create } for pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tclass=rawip_socket ---- time->Sat Dec 3 09:56:56 2016 type=PATH msg=audit(1480777016.641:1440): item=0 name="/proc/sys/kernel/modprobe" inode=6810 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL type=CWD msg=audit(1480777016.641:1440): cwd="/" type=SYSCALL msg=audit(1480777016.641:1440): arch=80000015 syscall=5 success=no exit=-13 a0=80b3858250 a1=0 a2=0 a3=fffffffffefefeff items=1 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1480777016.641:1440): avc: denied { read } for pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file ---- The ipsec daemon noticed the issue: # service ipsec start Starting pluto IKE daemon for IPsec: Migrating NSS db to sql:/etc/ipsec.d Password changed successfully. upgrade complete! NSS upgrade complete iptables v1.4.7: can't initialize iptables table `filter': Permission denied Perhaps iptables or your kernel needs to be upgraded. Not sure if this should be allowed or not. If yes, please add it to the policy or forward the case to libreswan if they are doing something they should not. Version-Release number of selected component (if applicable): libreswan-3.15-7.el6.1 selinux-policy-3.7.19-305.el6 How reproducible: seen only once Steps to Reproduce: There is not reliable reproducer.
libreswan starts iptables, but iptables stays running as ipsec_mgmt_t, which is unexpected, because policy contains necessary rules for the transition. Maybe iptables was incorrectly labeled on filesystem.
If libreswan starts iptables then following symbolic links have to be traversed to get to the iptables_exec_t context. Why is it so complicated? # ls -Z `which iptables` lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables -> /etc/alternatives/iptables.ppc64 # ls -Z /etc/alternatives/iptables.ppc64 lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/alternatives/iptables.ppc64 -> /sbin/iptables-1.4.7 # ls -Z /sbin/iptables-1.4.7 lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/iptables-1.4.7 -> iptables-multi # ls -Z /sbin/iptables-multi lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables-multi -> /etc/alternatives/sbin-iptables-multi.ppc64 # ls -Z /etc/alternatives/sbin-iptables-multi.ppc64 lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/alternatives/sbin-iptables-multi.ppc64 -> /sbin/iptables-multi-1.4.7 # ls -Z /sbin/iptables-multi-1.4.7 -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7 #
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.