1848355 – default label for the /run/strongswan directory is not correct

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1848355 - default label for the /run/strongswan directory is not correct

Summary: default label for the /run/strongswan directory is not correct

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-18 08:34 UTC by Milos Malik
Modified:	2021-05-18 14:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:57:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-06-18 08:34:26 UTC

Description of problem:
If the strongswan service is running and the root user executes "restorecon -Rv /run", then certain strongswan files get mislabeled and restart of the service becomes difficult.

# restorecon -Rv /run
Relabeled /run/strongswan/charon.vici from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
Relabeled /run/strongswan/charon.ctl from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
Relabeled /run/strongswan/charon.dck from system_u:object_r:ipsec_var_run_t:s0 to system_u:object_r:var_run_t:s0
#

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-45.el8.noarch
selinux-policy-devel-3.14.3-45.el8.noarch
selinux-policy-doc-3.14.3-45.el8.noarch
selinux-policy-sandbox-3.14.3-45.el8.noarch
selinux-policy-targeted-3.14.3-45.el8.noarch
strongswan-5.8.2-5.el8.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-8.3 machine (targeted policy is active)
2. run the following automated TC:
 * TC#57320 - /CoreOS/selinux-policy/Regression/strongswan-and-similar
3. search for SELinux denials

Actual results:
# matchpathcon /run/strongswan/
/run/strongswan	system_u:object_r:var_run_t:s0
#
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.508:972) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.508:972) : item=1 name=/run/strongswan/charon.dck inode=278724 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.508:972) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.508:972) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.508:972) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e2f2 a1=0x1 a2=0x0 a3=0x12 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.508:972) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.dck dev="tmpfs" ino=278724 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.517:973) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.517:973) : item=1 name=/run/strongswan/charon.ctl inode=278735 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.517:973) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.517:973) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.517:973) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e342 a1=0x1 a2=0x0 a3=0x558ad86751d0 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.517:973) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.ctl dev="tmpfs" ino=278735 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/18/2020 10:13:51.517:974) : proctitle=/usr/libexec/strongswan/charon 
type=PATH msg=audit(06/18/2020 10:13:51.517:974) : item=1 name=/run/strongswan/charon.vici inode=278737 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 10:13:51.517:974) : item=0 name=/run/strongswan/ inode=23473 dev=00:17 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 10:13:51.517:974) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 10:13:51.517:974) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffcb1a9e2d2 a1=0x1 a2=0x0 a3=0x558ad8673be0 items=2 ppid=71889 pid=71895 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=charon exe=/usr/libexec/strongswan/charon subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 10:13:51.517:974) : avc:  denied  { unlink } for  pid=71895 comm=charon name=charon.vici dev="tmpfs" ino=278737 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----

Expected results:
# matchpathcon /run/strongswan/
/run/strongswan system_u:object_r:ipsec_var_run_t:s0
#
And no SELinux denials.

Additional information:
 * the strongswan package comes from EPEL

Comment 4 Zdenek Pytela 2021-02-10 21:19:10 UTC

Should suffice to backport:
commit a9a124efb4b03f40c01b66a73deb59f364281f86
Author: Zdenek Pytela <zpytela>
Date:   Mon Mar 23 16:05:26 2020 +0100

    Allow ipsec_t connectto ipsec_mgmt_t

    Allow ipsec_t connectto ipsec_mgmt_t using unix_stream_socket.
    Label /run/strongswan with ipsec_var_run_t.

    Resolves: rhbz#1815983

Comment 14 errata-xmlrpc 2021-05-18 14:57:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639

Note You need to log in before you can comment on or make changes to this bug.