Bug 1444607 - SELinux is preventing starter from execute_no_trans access on the file /usr/libexec/strongswan/charon.
SELinux is preventing starter from execute_no_trans access on the file /usr/l...
Status: NEW
Product: Fedora
Classification: Fedora
Component: strongswan (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Pavel (pavlix) Šimerda
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-23 03:53 EDT by Andrey Motoshkov
Modified: 2017-08-31 04:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrey Motoshkov 2017-04-23 03:53:47 EDT
Description of problem:

Unable to start strongswan service


Version-Release number of selected component (if applicable):
strongswan-5.5.0-3.fc26.x86_64
selinux-policy-3.13.1-251.fc26.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
strongswan[4038]: can't execv(/usr/libexec/strongswan/charon,...): Permission denied
strongswan[4038]: charon has died -- restart scheduled (5sec)


Expected results:


Additional info:
SELinux is preventing starter from execute_no_trans access on the file /usr/libexec/strongswan/charon.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that starter should be allowed execute_no_trans access on the charon file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'starter' --raw | audit2allow -M my-starter
# semodule -X 300 -i my-starter.pp

Additional Information:
Source Context                system_u:system_r:ipsec_t:s0
Target Context                system_u:object_r:ipsec_exec_t:s0
Target Objects                /usr/libexec/strongswan/charon [ file ]
Source                        starter
Source Path                   starter
Port                          <Unknown>
Host                          (none)
Source RPM Packages           
Target RPM Packages           strongswan-5.5.0-3.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (none)
Platform                      Linux (none)
                              4.11.0-0.rc7.git0.1.fc26.x86_64 #1 SMP Mon Apr 17
                              18:09:42 UTC 2017 x86_64 x86_64
Alert Count                   10
First Seen                    2017-04-23 10:27:24 IDT
Last Seen                     2017-04-23 10:28:09 IDT
Local ID                      fe541056-001d-4b89-8caa-0b5751e7326d

Raw Audit Messages
type=AVC msg=audit(1492932489.107:283): avc:  denied  { execute_no_trans } for  pid=4125 comm="starter" path="/usr/libexec/strongswan/charon" dev="dm-0" ino=3416550 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file permissive=0


Hash: starter,ipsec_t,ipsec_exec_t,file,execute_no_trans
Comment 1 Richard Chan 2017-06-26 23:14:18 EDT
Still present:

selinux-policy-3.13.1-259.fc26.noarch
strongswan-5.5.3-1.fc26.x86_64
Comment 2 Jari Turkia 2017-08-31 04:22:11 EDT
This my local policy to make StrongSWAN work again:

module local 1.0;

require {
        type ipsec_t;
        type ipsec_exec_t;
        type var_run_t;
        class file { execute_no_trans };
        class sock_file { unlink write };
}

#============= ipsec_t ==============
allow ipsec_t ipsec_exec_t:file execute_no_trans;
allow ipsec_t var_run_t:sock_file { unlink write };

Note You need to log in before you can comment on or make changes to this bug.