Bug 1401589 - AVC denials when ipsec was started on ppc64
Summary: AVC denials when ipsec was started on ppc64
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 15:54 UTC by Patrik Kis
Modified: 2016-12-07 09:35 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-07 09:35:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Patrik Kis 2016-12-05 15:54:29 UTC
Description of problem:
The following AVC denial were reported while starting ipsec. The issue was seen only on ppc64, but it still might be not architecture related. It was a slower virtual machine, that could have an effect on the result too.

----
time->Sat Dec  3 09:56:56 2016
type=SOCKETCALL msg=audit(1480777016.641:1439): nargs=3 a0=2 a1=3 a2=ff
type=SYSCALL msg=audit(1480777016.641:1439): arch=80000015 syscall=102 success=no exit=-13 a0=1 a1=ffff2fede10 a2=ff a3=fffffffffefefeff items=0 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480777016.641:1439): avc:  denied  { create } for  pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tclass=rawip_socket
----
time->Sat Dec  3 09:56:56 2016
type=PATH msg=audit(1480777016.641:1440): item=0 name="/proc/sys/kernel/modprobe" inode=6810 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL
type=CWD msg=audit(1480777016.641:1440):  cwd="/"
type=SYSCALL msg=audit(1480777016.641:1440): arch=80000015 syscall=5 success=no exit=-13 a0=80b3858250 a1=0 a2=0 a3=fffffffffefefeff items=1 ppid=26929 pid=26930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480777016.641:1440): avc:  denied  { read } for  pid=26930 comm="iptables" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
----

The ipsec daemon noticed the issue:

# service ipsec start
Starting pluto IKE daemon for IPsec: Migrating NSS db to sql:/etc/ipsec.d
Password changed successfully.
upgrade complete!
NSS upgrade complete
iptables v1.4.7: can't initialize iptables table `filter': Permission denied
Perhaps iptables or your kernel needs to be upgraded.

Not sure if this should be allowed or not. If yes, please add it to the policy or forward the case to libreswan if they are doing something they should not.


Version-Release number of selected component (if applicable):
libreswan-3.15-7.el6.1
selinux-policy-3.7.19-305.el6


How reproducible:
seen only once

Steps to Reproduce:
There is not reliable reproducer.

Comment 2 Milos Malik 2016-12-05 16:20:28 UTC
libreswan starts iptables, but iptables stays running as ipsec_mgmt_t, which is unexpected, because policy contains necessary rules for the transition. Maybe iptables was incorrectly labeled on filesystem.

Comment 4 Milos Malik 2016-12-05 16:52:28 UTC
If libreswan starts iptables then following symbolic links have to be traversed to get to the iptables_exec_t context. Why is it so complicated?

# ls -Z `which iptables`
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /sbin/iptables -> /etc/alternatives/iptables.ppc64
# ls -Z /etc/alternatives/iptables.ppc64
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/iptables.ppc64 -> /sbin/iptables-1.4.7
# ls -Z /sbin/iptables-1.4.7
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables-1.4.7 -> iptables-multi
# ls -Z /sbin/iptables-multi
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /sbin/iptables-multi -> /etc/alternatives/sbin-iptables-multi.ppc64
# ls -Z /etc/alternatives/sbin-iptables-multi.ppc64
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/sbin-iptables-multi.ppc64 -> /sbin/iptables-multi-1.4.7
# ls -Z /sbin/iptables-multi-1.4.7 
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7
#

Comment 7 Lukas Vrabec 2016-12-07 09:35:39 UTC
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.


Note You need to log in before you can comment on or make changes to this bug.