RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1931848 - selinux-policy prevents ipsec/pluto to work over TCP
Summary: selinux-policy prevents ipsec/pluto to work over TCP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-23 11:55 UTC by Ondrej Moriš
Modified: 2021-11-11 11:39 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-68.el8
Doc Type: Bug Fix
Doc Text:
.`selinux-policy` now supports IPsec-based VPNs using TCP encapsulation Since RHEL 8.4, the `libreswan` packages have supported IPsec-based VPNs using TCP encapsulation, but the `selinux-policy` package did not reflect this update. As a consequence, when Libreswan was configured to use TCP, the `ipsec` service failed to bind to the given TCP port. With this update to the `selinux-policy` package, the `ipsec` service can bind and connect to the commonly used TCP port `4500`, and therefore you can use TCP encapsulation in IPsec-based VPNs.
Clone Of:
: 1951471 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:42:58 UTC
Type: Bug
Target Upstream Version:
Embargoed:
kborole: needinfo-
kborole: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1372050 1 medium CLOSED RFE: Support IKE and ESP over TCP: RFC 8229 2023-10-13 11:37:26 UTC
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:43:20 UTC

Description Ondrej Moriš 2021-02-23 11:55:17 UTC 
Description of problem:

In RHEL-8.4, libreswan added a new feature - IKEv2 / ESP over TCP (BZ#1372050). Current selinux-policy restricts libreswan too much be able to use this feature. Please notice that by default this feature is disabled and it is mostly recommend to use it only if UDP traffic is blocked [1].

[1] https://libreswan.org/wiki/RFC_8229_-_TCP_support_for_IKEv2_and_ESP#When_to_use_TCP_for_IKE_and_EPS

Version-Release number of selected component (if applicable):

libreswan-4.3-1.el8
selinux-policy-3.14.3-63.el8

How reproducible:

100%

Steps to Reproduce:

1. Edit default /etc/ipsec.conf and uncomment listep-tcp=yes in the config section to enable IKEv2 over TCP.

2. Start ipsec service.

3. See audit log.

Actual results:

time->Tue Feb 23 06:35:00 2021
type=PROCTITLE msg=audit(1614080100.606:1029): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SYSCALL msg=audit(1614080100.606:1029): arch=c000003e syscall=49 success=no exit=-13 a0=15 a1=7ffdde04ec34 a2=1c a3=7ffdde04eb30 items=0 ppid=1 pid=35193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1614080100.606:1029): avc:  denied  { name_bind } for  pid=35193 comm="pluto" src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0

Expected results:

No AVCs.

Additional info:

# ausearch -ts 06:34:35 -m AVC | audit2allow

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket name_bind;
Comment 1 Milos Malik 2021-02-23 12:47:10 UTC 
Please re-test with the latest selinux-policy installed.
Comment 2 Milos Malik 2021-02-23 13:02:21 UTC 
I'm sorry. The latest selinux-policy only allows udp_socket:

# sesearch -s ipsec_t -t ipsecnat_port_t -p name_bind -A
allow ipsec_t ipsecnat_port_t:udp_socket name_bind;
#
Comment 3 Milos Malik 2021-02-23 13:54:07 UTC 
Following SELinux denial appeared several times in enforcing mode:
----
type=PROCTITLE msg=audit(02/23/2021 14:52:35.112:1947) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:52:35.112:1947) : saddr={ saddr_fam=inet6 laddr=::1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:52:35.112:1947) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x1b a1=0x7ffd0d3e72d4 a2=0x1c a3=0x7ffd0d3e71d0 items=0 ppid=1 pid=81461 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:52:35.112:1947) : avc:  denied  { name_bind } for  pid=81461 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0 
----
Comment 4 Milos Malik 2021-02-23 13:55:49 UTC 
The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(02/23/2021 14:55:08.761:1977) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/23/2021 14:55:08.761:1977) : saddr={ saddr_fam=inet laddr=192.168.124.1 lport=4500 } 
type=SYSCALL msg=audit(02/23/2021 14:55:08.761:1977) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x16 a1=0x7ffc25ca0234 a2=0x10 a3=0x7ffc25ca0130 items=0 ppid=1 pid=82438 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/23/2021 14:55:08.761:1977) : avc:  denied  { name_bind } for  pid=82438 comm=pluto src=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1 
----
Comment 11 Ondrej Moriš 2021-03-08 17:35:59 UTC 
I just found out that there is one more AVC:

----
time->Mon Mar  8 12:28:35 2021
type=PROCTITLE msg=audit(1615224515.200:779): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B
type=SOCKADDR msg=audit(1615224515.200:779): saddr=020011940A008B240000000000000000
type=SYSCALL msg=audit(1615224515.200:779): arch=c000003e syscall=42 success=yes exit=0 a0=19 a1=7ffc2ba53074 a2=10 a3=0 items=0 ppid=1 pid=17348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1615224515.200:779): avc:  denied  { name_connect } for  pid=17348 comm="pluto" dest=4500 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1

Therefore, the rule we need to add is actually as follows:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };

IOW, not only name_bind for tcp_socket is needed but also name_connect permission.
Comment 12 Ondrej Moriš 2021-03-16 08:30:17 UTC 
Proposing "Known Issue" Doc Type. ESPinTCP feature will be present in RHEL-8.4 and this bug will prevent its usage. Therefore I think it would be good to document this known issue. The only workaround now is to use custom policy module with the following rule:

#============= ipsec_t ==============
allow ipsec_t ipsecnat_port_t:tcp_socket { name_bind name_connect };
Comment 15 Zdenek Pytela 2021-04-27 18:01:08 UTC 
Merged in rawhide:
commit e3778cb9326fe086398f7b703557b9f3ef41f270 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Apr 26 17:07:01 2021 +0200

    Allow pluto IKEv2 / ESP over TCP

    Libreswan and kernel have recently started to support transporting IKEv2
    and ESP packets over a TCP connection, described in RFC 8229, for
    traversing network middleboxes that may block IKE negotiation over UDP.

    The option is not enabled in libreswan by default, but anyway needs to
    be backed by SELinux policy in case the use was requested.
    By default, the 4500/tcp port is used.

    Resolves: rhbz#1931848
Comment 33 errata-xmlrpc 2021-11-09 19:42:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Note You need to log in before you can comment on or make changes to this bug.