From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Epiphany/1.6.3 Description of problem: Trying to bring up an IPSec link does not work when SELinux is enforcing its strict policy. I have the hosts configured as follows: ifcfg-ipsec0: DST=192.168.0.100 TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK /etc/racoon/192.168.0.100.conf: remote 192.168.0.100 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.16-6 How reproducible: Always Steps to Reproduce: 1. Load the strict SELinux policy in enforcing mode. 2. Try to bring up the IPSec link using ifup. Actual Results: The ifup command will fail to bring up the IPSec link. Additional info: The following allows racoon to work: allow ipsec_t ipsec_t:netlink_route_socket { create bind getattr write nlmsg_read read }; allow ipsec_t ipsec_t:unix_dgram_socket ioctl; allow ipsec_t var_t:sock_file { create setattr unlink }; allow ipsec_t var_t:dir { write remove_name add_name }; allow ipsec_t sysadm_tmp_t:file { read ioctl getattr };
Could you attach the avc messages you used to create these allow rules. Netlink and unix_dgram rules are fine. The sock_file and sysadm_tmp_t ones are not. Where is the sock_file being created and by whom. What tmp file is ipsec trying to read?
"ifup ipsec0" when enforcing=0 and the rules listed above causes the following to be logged by audit: type=AVC msg=audit(1122336704.779:697440): avc: denied { write } for pid=3375 comm="racoon" name="racoon" dev=hda2 ino=15698 scontext=root:system_r:ipsec_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1122336704.779:697440): avc: denied { remove_name } for pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684 scontext=root:system_r:ipsec_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1122336704.779:697440): avc: denied { unlink } for pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684 scontext=root:system_r:ipsec_t tcontext=root:object_r:var_t tclass=sock_file type=SYSCALL msg=audit(1122336704.779:697440): arch=40000003 syscall=10 success=yes exit=0 a0=80b6c42 a1=bff9dd10 a2=9b675e8 a3=80b2918 items=1 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=CWD msg=audit(1122336704.779:697440): cwd="/" type=PATH msg=audit(1122336704.779:697440): item=0 name="/var/racoon/racoon.sock" flags=10 inode=15698 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1122336704.780:697441): avc: denied { add_name } for pid=3375 comm="racoon" name="racoon.sock" scontext=root:system_r:ipsec_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1122336704.780:697441): avc: denied { create } for pid=3375 comm="racoon" name="racoon.sock" scontext=root:system_r:ipsec_t tcontext=root:object_r:var_t tclass=sock_file type=SYSCALL msg=audit(1122336704.780:697441): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9dd10 a2=9b675e8 a3=80b2918 items=1 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKADDR msg=audit(1122336704.780:697441): saddr=01002F7661722F7261636F6F6E2F7261636F6F6E2E736F636B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1122336704.780:697441): nargs=3 a0=5 a1=80b6c40 a2=6e type=PATH msg=audit(1122336704.780:697441): item=0 flags=10 inode=15698 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1122336704.781:697442): avc: denied { setattr } for pid=3375 comm="racoon" name="racoon.sock" dev=hda2 ino=14684 scontext=root:system_r:ipsec_t tcontext=root:object_r:var_t tclass=sock_file type=SYSCALL msg=audit(1122336704.781:697442): arch=40000003 syscall=212 success=yes exit=0 a0=80b6c42 a1=0 a2=0 a3=80b2918 items=1 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=CWD msg=audit(1122336704.781:697442): cwd="/" type=PATH msg=audit(1122336704.781:697442): item=0 name="/var/racoon/racoon.sock" flags=1 inode=14684 dev=03:02 mode=0140700 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1122336704.782:697445): avc: denied { create } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=SYSCALL msg=audit(1122336704.782:697445): arch=40000003 syscall=102 success=yes exit=6 a0=1 a1=bff9dd20 a2=9b675e8 a3=80b2918 items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKETCALL msg=audit(1122336704.782:697445): nargs=3 a0=10 a1=3 a2=0 type=AVC msg=audit(1122336704.782:697446): avc: denied { bind } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=SYSCALL msg=audit(1122336704.782:697446): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9dd20 a2=bff9dd34 a3=80b2918 items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKADDR msg=audit(1122336704.782:697446): saddr=100000000000000011000000 type=SOCKETCALL msg=audit(1122336704.782:697446): nargs=3 a0=6 a1=bff9dd34 a2=c type=AVC msg=audit(1122336704.783:697447): avc: denied { getattr } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=SYSCALL msg=audit(1122336704.783:697447): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bff9dd20 a2=bff9dd34 a3=80b2918 items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKETCALL msg=audit(1122336704.783:697447): nargs=3 a0=6 a1=bff9dd34 a2=bff9dd40 type=AVC msg=audit(1122336704.783:697449): avc: denied { write } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=AVC msg=audit(1122336704.783:697449): avc: denied { nlmsg_read } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=SYSCALL msg=audit(1122336704.783:697449): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bff9b080 a2=bff9dd34 a3=80b2918 items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKADDR msg=audit(1122336704.783:697449): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1122336704.783:697449): nargs=6 a0=7 a1=bff9dcd4 a2=14 a3=0 a4=bff9dcf4 a5=c type=AVC msg=audit(1122336704.784:697450): avc: denied { read } for pid=3375 comm="racoon" scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=netlink_route_socket type=SYSCALL msg=audit(1122336704.784:697450): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bff9b080 a2=bff9dd34 a3=80b2918 items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=SOCKETCALL msg=audit(1122336704.784:697450): nargs=3 a0=7 a1=bff9d4d0 a2=0 type=AVC msg=audit(1122336704.784:697462): avc: denied { ioctl } for pid=3375 comm="racoon" name="[15380]" dev=sockfs ino=15380 scontext=root:system_r:ipsec_t tcontext=root:system_r:ipsec_t tclass=unix_dgram_socket type=SYSCALL msg=audit(1122336704.784:697462): arch=40000003 syscall=54 success=yes exit=0 a0=8 a1=8933 a2=bff9b04c a3=bff9b04c items=0 pid=3375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" type=AVC_PATH msg=audit(1122336704.784:697462): path="socket:[15380]"
Fixed in policy 1.25.4-10
Thanks for the bug report. This particular bug was fixed and a update package was published for download. Please feel free to report any further bugs you find.
Still broken with selinux-policy-strict-1.26-1 and initscripts-8.12-3: [...] audit(1127001282.148:2852): avc: denied { name_bind } for pid=3486 comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket audit(1127001282.148:2852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfed8ad0 a2=100007f a3=80b2918 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" audit(1127001282.148:2852): saddr=020001F47F0000010000000000000000 audit(1127001282.148:2852): nargs=3 a0=8 a1=91ed5c8 a2=10 audit(1127001282.164:2853): avc: denied { name_bind } for pid=3486 comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket audit(1127001282.164:2853): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfed8ad0 a2=a00a8c0 a3=91ed5c8 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" audit(1127001282.164:2853): saddr=020001F4C0A8000A0000000000000000 audit(1127001282.164:2853): nargs=3 a0=8 a1=91ed598 a2=10 audit(1127001282.188:2854): avc: denied { name_bind } for pid=3486 comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket audit(1127001282.188:2854): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfed8ad0 a2=0 a3=0 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" audit(1127001282.188:2854): saddr=0A0001F4000000000000000000000000000000000000000100000000 audit(1127001282.188:2854): nargs=3 a0=8 a1=91ed0c8 a2=1c audit(1127001282.212:2855): avc: denied { name_bind } for pid=3486 comm="racoon" src=500 scontext=root:system_r:ipsec_t:s0-s0:c0.c127 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket audit(1127001282.212:2855): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfed8ad0 a2=80b7a20 a3=91ed0c8 items=0 pid=3486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="racoon" exe="/usr/sbin/racoon" audit(1127001282.212:2855): saddr=0A0001F400000000FE80000000000000024063FFFED9397E02000000 audit(1127001282.212:2855): nargs=3 a0=8 a1=91ecd18 a2=1c
Fixed in selinux-policy-*-1.27.1-2.1