1916289 – 3.14.3-59.el8 - brakes strongswan 5.8.x

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1916289 - 3.14.3-59.el8 - brakes strongswan 5.8.x

Summary: 3.14.3-59.el8 - brakes strongswan 5.8.x

Keywords:
Status:	CLOSED DUPLICATE of bug 1889542
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	CentOS Stream
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-14 13:34 UTC by lejeczek
Modified:	2022-01-05 13:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-17 21:06:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description lejeczek 2021-01-14 13:34:01 UTC

Description of problem:

Selinux brakes service start:

-> $ journalctl -lf -o short -u strongswan
-- Logs begin at Thu 2021-01-14 12:22:46 GMT. --
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: HA config misses local/remote address
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: no script for ext-auth script defined, disabled
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: spawning 16 worker threads
Jan 14 13:06:03 dzien.private.pawel swanctl[7191]: no files found matching '/etc/strongswan/strongswan.conf'
Jan 14 13:06:03 dzien.private.pawel swanctl[7191]: abort initialization due to invalid configuration
Jan 14 13:06:03 dzien.private.pawel systemd[1]: strongswan.service: Control process exited, code=exited status=64
Jan 14 13:06:03 dzien.private.pawel charon-systemd[7174]: SIGTERM received, shutting down
Jan 14 13:06:03 dzien.private.pawel systemd[1]: strongswan.service: Failed with result 'exit-code'.
Jan 14 13:06:03 dzien.private.pawel systemd[1]: Failed to start strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Jan 14 13:08:19 dzien.private.pawel systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Jan 14 13:08:19 dzien.private.pawel charon-systemd[7390]: PKCS11 module '<name>' lacks library path



Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-59.el8.noarch
selinux-policy-3.14.3-59.el8.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Milos Malik 2021-01-14 14:30:31 UTC

Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

Comment 2 Milos Malik 2021-01-14 14:35:45 UTC

I see these SELinux denials in permissive mode on my RHEL-8 VM, but I would like to know your SELinux denials:
----
type=PROCTITLE msg=audit(01/14/2021 15:31:52.896:587) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=PATH msg=audit(01/14/2021 15:31:52.896:587) : item=0 name=/etc/strongswan/strongswan.d/charon inode=18033243 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_conf_file_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/14/2021 15:31:52.896:587) : cwd=/ 
type=SYSCALL msg=audit(01/14/2021 15:31:52.896:587) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x7ffe04f2f8e0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22419 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(01/14/2021 15:31:52.896:587) : avc:  denied  { read } for  pid=22419 comm=swanctl name=charon dev="vda2" ino=18033243 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(01/14/2021 15:31:53.068:588) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=PATH msg=audit(01/14/2021 15:31:53.068:588) : item=0 name=/run/strongswan/charon.vici inode=524053 dev=00:17 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/14/2021 15:31:53.068:588) : cwd=/ 
type=SOCKADDR msg=audit(01/14/2021 15:31:53.068:588) : saddr={ saddr_fam=local path=/run/strongswan/charon.vici } 
type=SYSCALL msg=audit(01/14/2021 15:31:53.068:588) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x7 a1=0x7ffe04f31450 a2=0x1d a3=0x55fd598a5220 items=1 ppid=1 pid=22419 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(01/14/2021 15:31:53.068:588) : avc:  denied  { write } for  pid=22419 comm=swanctl name=charon.vici dev="tmpfs" ino=524053 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 
----

Comment 3 Milos Malik 2021-01-14 15:28:23 UTC

# rpm -qa selinux-policy\* | sort
selinux-policy-3.14.3-59.el8.noarch
selinux-policy-devel-3.14.3-59.el8.noarch
selinux-policy-targeted-3.14.3-59.el8.noarch
# matchpathcon /etc/strongswan/
/etc/strongswan	system_u:object_r:ipsec_conf_file_t:s0
# matchpathcon /etc/strongswan/strongswan.d/
/etc/strongswan/strongswan.d	system_u:object_r:ipsec_conf_file_t:s0
# matchpathcon /etc/strongswan/strongswan.d/charon
/etc/strongswan/strongswan.d/charon	system_u:object_r:ipsec_conf_file_t:s0
# sesearch -s ipsec_mgmt_t -t ipsec_conf_file_t -c dir -A
#

Comment 4 lejeczek 2021-01-15 15:16:01 UTC

It seems to me these are "silent" denials:

-> $ restorecon -Fv /etc/strongswan/ -R
-> $ ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts 15:12 | egrep -i swan
...
type=PROCTITLE msg=audit(15/01/21 15:13:03.016:9665) : proctitle=/usr/sbin/swanctl --load-all --noprompt 
type=SYSCALL msg=audit(15/01/21 15:13:03.016:9665) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x7ffc2bc83a10 a1=0x7ffc2bc83aa0 a2=0x7ffc2bc83aa0 a3=0x0 items=0 ppid=1 pid=51674 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=swanctl exe=/usr/sbin/swanctl subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(15/01/21 15:13:03.016:9665) : avc:  denied  { search } for  pid=51674 comm=swanctl name=strongswan dev="dm-0" ino=67415444 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0
...

You should be good to reproduce it as my env is nothing but plain vanilla Centos8 stream.

Comment 5 lejeczek 2021-01-15 15:23:39 UTC

I run these:

-> $ rpm -qa \*swan\* | sort
strongswan-5.8.2-5.el8.x86_64
strongswan-libipsec-5.8.2-5.el8.x86_64

-> $ repoquery -i strongswan
Last metadata expiration check: 2:46:16 ago on Fri 15 Jan 2021 12:33:18 GMT.
Name         : strongswan
Version      : 5.8.2
Release      : 5.el8
Architecture : x86_64
Size         : 1.5 M
Source       : strongswan-5.8.2-5.el8.src.rpm
Repository   : epel
Summary      : An OpenSource IPsec-based VPN and TNC solution
URL          : http://www.strongswan.org/
License      : GPLv2+
Description  : The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key
             : exchange protocols in conjunction with the native NETKEY IPsec stack of the
             : Linux kernel.


And just in case, I think we talked about it somewhere else, other bugreport, these swans > 5.8.x use swanctl configs so all is in:
/etc/strongswan/swanctl/
as opposed to earlier vers, in:
/etc/strongswan/ipsec.d/
just in case.

Comment 8 lejeczek 2021-01-31 21:56:16 UTC

Do we have any update on this?
This should be easy to fix as it's very easy to reproduce.
regards, L.

Comment 9 Zdenek Pytela 2021-02-17 21:06:54 UTC


*** This bug has been marked as a duplicate of bug 1889542 ***

Comment 10 lejeczek 2021-03-01 13:01:08 UTC

Could we have in CentOS, Stream perhaps, what is Fedora policies?
Particularly those fcontext bits:

/etc/strongswan/ipsec\.d(/.*)?                     all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/ipsec\.secrets.*                   regular file       system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/bliss/(/.*)?               all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/ecdsa(/.*)?                all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/pkcs.*                     all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/private(/.*)?              all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/pubkey(/.*)?               all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/rsa(/.*)?                  all files          system_u:object_r:ipsec_key_file_t:s0 
/etc/strongswan/swanctl/x509.*                     all files          system_u:object_r:ipsec_key_file_t:s0

Note You need to log in before you can comment on or make changes to this bug.