Bug 207304 - [FC6 regression] SELinux breaks openswan
[FC6 regression] SELinux breaks openswan
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-20 11:52 EDT by Stefan Becker
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-09 10:08:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log from /var/log/messages (8.20 KB, text/plain)
2006-09-20 11:52 EDT, Stefan Becker
no flags Details

  None (edit)
Description Stefan Becker 2006-09-20 11:52:18 EDT
Description of problem:

openswan can setup IPSec connections but then is no longer allowed to send
network packets.

Version-Release number of selected component (if applicable):

selinux-policy-2.3.13-5
selinux-policy-targeted-2.3.13-5
openswan-2.4.5-2.1

How reproducible: Always


Steps to Reproduce:
1. service ipsec start
2. ipsec auto --up roadwarrior (in my configuration)
3.
  
Actual results:

# service ipsec start
Starting IPsec:  Starting Openswan IPsec 2.4.5...
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/key/af_key.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/ah4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/esp4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/ipcomp.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/tunnel4.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/xfrm4_tunnel.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko
FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko): No such device
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/md5.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/des.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/crypto/aes.ko
                                                           [  OK  ]
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=110
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using 3: no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
003 ERROR: "roadwarrior" #2: sendto on ath0 to 192.168.3.1:500 failed in
STATE_QUICK_I1. Errno 11: Resource temporarily unavailable
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7e8145d3 <0x1ae03597 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Expected results:

# setenforce 0
# service ipsec start
Starting IPsec:  Starting Openswan IPsec 2.4.5...
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/key/af_key.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/net/ipv4/xfrm4_tunnel.ko
insmod /lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko
FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2647.fc6/kernel/drivers/crypto/padlock.ko): No such device
                                                           [  OK  ]
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=110
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using 3: no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7e8145d4 <0xa0a59120 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Additional info: See attached audit messages.
Comment 1 Stefan Becker 2006-09-20 11:52:18 EDT
Created attachment 136751 [details]
audit log from /var/log/messages
Comment 2 Stefan Becker 2006-09-23 06:05:32 EDT
Forgot to mention that this worked OK on FC5...
Comment 3 Daniel Walsh 2006-09-23 07:03:23 EDT
For now you can build a loadable policy module using audit2allow this access

audit2allow -M local < /var/log/messages

Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute 

semodule -i local.pp
Comment 4 Stefan Becker 2006-09-23 12:05:55 EDT
Yep, that helps...
Comment 5 Daniel Walsh 2006-09-28 14:43:41 EDT
Fixed in selinux-policy-2.3.16-6
Comment 6 Stefan Becker 2006-10-01 06:30:01 EDT
Verified with selinux-policy-2.3.16-9
Comment 7 Matthew Miller 2007-04-06 14:01:19 EDT
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]

Note You need to log in before you can comment on or make changes to this bug.