Bug 164113 - IPSec/racoon does not work with strict policy
Summary: IPSec/racoon does not work with strict policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-25 02:24 UTC by W. Michael Petullo
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.27.1-2.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-27 05:43:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description W. Michael Petullo 2005-07-25 02:24:25 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Epiphany/1.6.3

Description of problem:
Trying to bring up an IPSec link does not work when SELinux is enforcing its strict policy.  I have the hosts configured as follows:

ifcfg-ipsec0:
DST=192.168.0.100
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK

/etc/racoon/192.168.0.100.conf:
remote 192.168.0.100
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1.  Load the strict SELinux policy in enforcing mode.
2.  Try to bring up the IPSec link using ifup.
  

Actual Results:  The ifup command will fail to bring up the IPSec link.

Additional info:

The following allows racoon to work:

allow ipsec_t ipsec_t:netlink_route_socket { create bind getattr write nlmsg_read read };
allow ipsec_t ipsec_t:unix_dgram_socket ioctl;
allow ipsec_t var_t:sock_file { create setattr unlink };
allow ipsec_t var_t:dir { write remove_name add_name };
allow ipsec_t sysadm_tmp_t:file { read ioctl getattr };
Comment 1 Daniel Walsh 2005-07-25 13:44:22 UTC 
Could you attach the avc messages you used to create these allow rules.
Netlink and unix_dgram rules are fine.

The sock_file and sysadm_tmp_t ones are not.  Where is the sock_file being
created and by whom.

What tmp file is ipsec trying to read?
Comment 2 W. Michael Petullo 2005-07-26 00:17:58 UTC 
"ifup ipsec0" when enforcing=0 and the rules listed above causes the following
to be logged by audit:

type=AVC msg=audit(1122336704.779:697440): avc:  denied  { write } for  pid=3375
comm="racoon" name="racoon" dev=hda2 ino=15698 scontext=root:system_r:ipsec_t
tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1122336704.779:697440): avc:  denied  { remove_name } for 
pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684
scontext=root:system_r:ipsec_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1122336704.779:697440): avc:  denied  { unlink } for 
pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684
scontext=root:system_r:ipsec_t tcontext=root:object_r:var_t tclass=sock_file
type=SYSCALL msg=audit(1122336704.779:697440): arch=40000003 syscall=10
success=yes exit=0 a0=80b6c42 a1=bff9dd10 a2=9b675e8 a3=80b2918 items=1 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=CWD msg=audit(1122336704.779:697440):  cwd="/"
type=PATH msg=audit(1122336704.779:697440): item=0
name="/var/racoon/racoon.sock" flags=10  inode=15698 dev=03:02 mode=040755
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1122336704.780:697441): avc:  denied  { add_name } for 
pid=3375 comm="racoon" name="racoon.sock" scontext=root:system_r:ipsec_t
tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1122336704.780:697441): avc:  denied  { create } for 
pid=3375 comm="racoon" name="racoon.sock" scontext=root:system_r:ipsec_t
tcontext=root:object_r:var_t tclass=sock_file
type=SYSCALL msg=audit(1122336704.780:697441): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bff9dd10 a2=9b675e8 a3=80b2918 items=1 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKADDR msg=audit(1122336704.780:697441):
saddr=01002F7661722F7261636F6F6E2F7261636F6F6E2E736F636B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1122336704.780:697441): nargs=3 a0=5 a1=80b6c40 a2=6e
type=PATH msg=audit(1122336704.780:697441): item=0 flags=10  inode=15698
dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1122336704.781:697442): avc:  denied  { setattr } for 
pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684
scontext=root:system_r:ipsec_t tcontext=root:object_r:var_t tclass=sock_file
type=SYSCALL msg=audit(1122336704.781:697442): arch=40000003 syscall=212
success=yes exit=0 a0=80b6c42 a1=0 a2=0 a3=80b2918 items=1 pid=3375 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=CWD msg=audit(1122336704.781:697442):  cwd="/"
type=PATH msg=audit(1122336704.781:697442): item=0
name="/var/racoon/racoon.sock" flags=1  inode=14684 dev=03:02 mode=0140700
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1122336704.782:697445): avc:  denied  { create } for 
pid=3375 comm="racoon" scontext=root:system_r:ipsec_t
tcontext=root:system_r:ipsec_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1122336704.782:697445): arch=40000003 syscall=102
success=yes exit=6 a0=1 a1=bff9dd20 a2=9b675e8 a3=80b2918 items=0 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKETCALL msg=audit(1122336704.782:697445): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1122336704.782:697446): avc:  denied  { bind } for  pid=3375
comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t
tclass=netlink_route_socket
type=SYSCALL msg=audit(1122336704.782:697446): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bff9dd20 a2=bff9dd34 a3=80b2918 items=0 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKADDR msg=audit(1122336704.782:697446): saddr=100000000000000011000000
type=SOCKETCALL msg=audit(1122336704.782:697446): nargs=3 a0=6 a1=bff9dd34 a2=c
type=AVC msg=audit(1122336704.783:697447): avc:  denied  { getattr } for 
pid=3375 comm="racoon" scontext=root:system_r:ipsec_t
tcontext=root:system_r:ipsec_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1122336704.783:697447): arch=40000003 syscall=102
success=yes exit=0 a0=6 a1=bff9dd20 a2=bff9dd34 a3=80b2918 items=0 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKETCALL msg=audit(1122336704.783:697447): nargs=3 a0=6 a1=bff9dd34
a2=bff9dd40
type=AVC msg=audit(1122336704.783:697449): avc:  denied  { write } for  pid=3375
comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t
tclass=netlink_route_socket
type=AVC msg=audit(1122336704.783:697449): avc:  denied  { nlmsg_read } for 
pid=3375 comm="racoon" scontext=root:system_r:ipsec_t
tcontext=root:system_r:ipsec_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1122336704.783:697449): arch=40000003 syscall=102
success=yes exit=20 a0=b a1=bff9b080 a2=bff9dd34 a3=80b2918 items=0 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKADDR msg=audit(1122336704.783:697449): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1122336704.783:697449): nargs=6 a0=7 a1=bff9dcd4 a2=14
a3=0 a4=bff9dcf4 a5=c
type=AVC msg=audit(1122336704.784:697450): avc:  denied  { read } for  pid=3375
comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t
tclass=netlink_route_socket
type=SYSCALL msg=audit(1122336704.784:697450): arch=40000003 syscall=102
success=yes exit=128 a0=11 a1=bff9b080 a2=bff9dd34 a3=80b2918 items=0 pid=3375
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=SOCKETCALL msg=audit(1122336704.784:697450): nargs=3 a0=7 a1=bff9d4d0 a2=0
type=AVC msg=audit(1122336704.784:697462): avc:  denied  { ioctl } for  pid=3375
comm="racoon" name="[15380]" dev=sockfs ino=15380 scontext=root:system_r:ipsec_t
tcontext=root:system_r:ipsec_t tclass=unix_dgram_socket
type=SYSCALL msg=audit(1122336704.784:697462): arch=40000003 syscall=54
success=yes exit=0 a0=8 a1=8933 a2=bff9b04c a3=bff9b04c items=0 pid=3375 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon"
exe="/usr/sbin/racoon"
type=AVC_PATH msg=audit(1122336704.784:697462):  path="socket:[15380]"
Comment 3 Daniel Walsh 2005-08-25 19:59:40 UTC 
Fixed in policy 1.25.4-10
Comment 4 Walter Justen 2005-08-30 06:09:33 UTC 
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.
Comment 5 W. Michael Petullo 2005-09-17 23:58:10 UTC 
Still broken with selinux-policy-strict-1.26-1 and initscripts-8.12-3:

[...]
audit(1127001282.148:2852): avc:  denied  { name_bind } for  pid=3486
comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127
tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
audit(1127001282.148:2852): arch=40000003 syscall=102 success=no exit=-13 a0=2
a1=bfed8ad0 a2=100007f a3=80b2918 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon"
audit(1127001282.148:2852): saddr=020001F47F0000010000000000000000
audit(1127001282.148:2852): nargs=3 a0=8 a1=91ed5c8 a2=10
audit(1127001282.164:2853): avc:  denied  { name_bind } for  pid=3486
comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127
tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
audit(1127001282.164:2853): arch=40000003 syscall=102 success=no exit=-13 a0=2
a1=bfed8ad0 a2=a00a8c0 a3=91ed5c8 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon"
audit(1127001282.164:2853): saddr=020001F4C0A8000A0000000000000000
audit(1127001282.164:2853): nargs=3 a0=8 a1=91ed598 a2=10
audit(1127001282.188:2854): avc:  denied  { name_bind } for  pid=3486
comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127
tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
audit(1127001282.188:2854): arch=40000003 syscall=102 success=no exit=-13 a0=2
a1=bfed8ad0 a2=0 a3=0 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon"
audit(1127001282.188:2854):
saddr=0A0001F4000000000000000000000000000000000000000100000000
audit(1127001282.188:2854): nargs=3 a0=8 a1=91ed0c8 a2=1c
audit(1127001282.212:2855): avc:  denied  { name_bind } for  pid=3486
comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127
tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
audit(1127001282.212:2855): arch=40000003 syscall=102 success=no exit=-13 a0=2
a1=bfed8ad0 a2=80b7a20 a3=91ed0c8 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon"
audit(1127001282.212:2855):
saddr=0A0001F400000000FE80000000000000024063FFFED9397E02000000
audit(1127001282.212:2855): nargs=3 a0=8 a1=91ecd18 a2=1c
Comment 6 Daniel Walsh 2005-09-19 20:20:11 UTC 
Fixed in selinux-policy-*-1.27.1-2.1
Note You need to log in before you can comment on or make changes to this bug.