Bug 1931848 - selinux-policy prevents ipsec/pluto to work over TCP [NEEDINFO]
Summary: selinux-policy prevents ipsec/pluto to work over TCP
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-23 11:55 UTC by Ondrej Moriš
Modified: 2021-10-12 12:20 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.3-68.el8
Doc Type: Bug Fix
Doc Text:
.`selinux-policy` now supports the TCP encapsulation Previously, the `libreswan` package supported IPsec-based VPNs using TCP encapsulation, but the `selinux-policy` package did not reflect this update. As a consequence, when the libreswan was configured to use TCP, the `ipsec` service failed to bind to the given TCP port. With this update in the `selinux-policy` package, TCP encapsulation is now possible. As a result, the `ipsec` service can bind and connect to the commonly used `4500/tcp` port.
Clone Of:
: 1951471 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
kborole: needinfo-
kborole: needinfo-
zpytela: needinfo? (kborole)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1372050 1 None None None 2021-05-18 17:15:02 UTC

Description Ondrej Moriš 2021-02-23 11:55:17 UTC
Description of problem:

In RHEL-8.4, libreswan added a new feature - IKEv2 / ESP over TCP (BZ#1372050). Current selinux-policy restricts libreswan too much be able to use this feature. Please notice that by default this feature is disabled and it is mostly recommend to use it only if UDP traffic is blocked [1].

[1] https://libreswan.org/wiki/RFC_8229_-_TCP_support_for_IKEv2_and_ESP#When_to_use_TCP_for_IKE_and_EPS

Version-Release number of selected component (if applicable):

libreswan-4.3-1.el8
selinux-policy-3.14.3-63.el8

How reproducible:

100%

Steps to Reproduce:

1. Edit default /etc/ipsec.conf and uncomment listep-tcp=yes in the config section to enable IKEv2 over TCP.

2. Start ipsec service.

3. See audit log.

Actual results:

time->Tue Feb 23 06:35:00 2021
type=PROCTITLE msg=audit(1614080100.606:1029): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SYSCALL msg=audit(1614080100.606:1029): arch=c000003e syscall=49 success=no exit=-13 a0=15 a1=7ffdde04ec34 a2=1c a3=7ffdde04eb30 items=0 ppid=1 pid=35193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1614080100.606:1029): avc:  denied  { name_bind } for  pid=35193 comm="pluto" src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0

Expected results:

No AVCs.

Additional info:

# ausearch -ts 06:34:35 -m AVC | audit2allow

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket name_bind;

Comment 1 Milos Malik 2021-02-23 12:47:10 UTC
Please re-test with the latest selinux-policy installed.

Comment 2 Milos Malik 2021-02-23 13:02:21 UTC
I'm sorry. The latest selinux-policy only allows udp_socket:

# sesearch -s ipsec_t -t ipsecnat_port_t -p name_bind -A
allow ipsec_t ipsecnat_port_t:udp_socket name_bind;
#

Comment 3 Milos Malik 2021-02-23 13:54:07 UTC
Following SELinux denial appeared several times in enforcing mode:
----
type=PROCTITLE msg=audit(02/23/2021 14:52:35.112:1947) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:52:35.112:1947) : saddr={ saddr_fam=inet6 laddr=::1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:52:35.112:1947) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x1b a1=0x7ffd0d3e72d4 a2=0x1c a3=0x7ffd0d3e71d0 items=0 ppid=1 pid=81461 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:52:35.112:1947) : avc:  denied  { name_bind } for  pid=81461 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0 
----

Comment 4 Milos Malik 2021-02-23 13:55:49 UTC
The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(02/23/2021 14:55:08.761:1977) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:55:08.761:1977) : saddr={ saddr_fam=inet laddr=192.168.124.1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:55:08.761:1977) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x16 a1=0x7ffc25ca0234 a2=0x10 a3=0x7ffc25ca0130 items=0 ppid=1 pid=82438 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:55:08.761:1977) : avc:  denied  { name_bind } for  pid=82438 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1 
----

Comment 11 Ondrej Moriš 2021-03-08 17:35:59 UTC
I just found out that there is one more AVC:

----
time->Mon Mar  8 12:28:35 2021
type=PROCTITLE msg=audit(1615224515.200:779): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SOCKADDR msg=audit(1615224515.200:779): saddr=020011940A008B240000000000000000
type=SYSCALL msg=audit(1615224515.200:779): arch=c000003e syscall=42 success=yes exit=0 a0=19 a1=7ffc2ba53074 a2=10 a3=0 items=0 ppid=1 pid=17348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1615224515.200:779): avc:  denied  { name_connect } for  pid=17348 comm="pluto" dest=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1

Therefore, the rule we need to add is actually as follows:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };

IOW, not only name_bind for tcp_socket is needed but also name_connect permission.

Comment 12 Ondrej Moriš 2021-03-16 08:30:17 UTC
Proposing "Known Issue" Doc Type. ESPinTCP feature will be present in RHEL-8.4 and this bug will prevent its usage. Therefore I think it would be good to document this known issue. The only workaround now is to use custom policy module with the following rule:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };

Comment 15 Zdenek Pytela 2021-04-27 18:01:08 UTC
Merged in rawhide:
commit e3778cb9326fe086398f7b703557b9f3ef41f270 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Mon Apr 26 17:07:01 2021 +0200

    Allow pluto IKEv2 / ESP over TCP

    Libreswan and kernel have recently started to support transporting IKEv2
    and ESP packets over a TCP connection, described in RFC 8229, for
    traversing network middleboxes that may block IKE negotiation over UDP.

    The option is not enabled in libreswan by default, but anyway needs to
    be backed by SELinux policy in case the use was requested.
    By default, the 4500/tcp port is used.

    Resolves: rhbz#1931848


Note You need to log in before you can comment on or make changes to this bug.