Bug 218386 - LSPP: labeled ipsec does not work over loopback
LSPP: labeled ipsec does not work over loopback
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Conklin
Brian Brock
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
Reported: 2006-12-04 18:46 EST by Joy Latten
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-27 10:19:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch that allows racoon to negotiate wih itself over loopback. (15.74 KB, patch)
2007-04-05 20:30 EDT, Joy Latten
no flags Details | Diff

  None (edit)
Description Joy Latten 2006-12-04 18:46:45 EST
Description of problem:
When labeled ipsec is configured, cannot ping loopback.

Version-Release number of selected component (if applicable):
I am using lspp 56 kernel with RHEL5 beta1 refresh.

How reproducible:
All the time.

Steps to Reproduce:
1. echo 0 > /proc/sys/net/ipv4/confeth0/disable_policy
   echo 0 > /proc/sys/net/ipv4/confeth0/disable_xfrm
2. Use setkey to install the labeled ipsec config. 
   My labeled ipsec config is:
add esp 35590 -m transport
-ctx 1 1 "system_u:object_r:ping_t:s0-s15:c0.c1023"
-E 3des-cbc "06183223c23a21e8b36c566b";

spdadd any 
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P in ipsec

spdadd any 
-ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023"
-P out ipsec

3. ping 

Actual results:
The ping hangs.  

Expected results:
The ping to succeed

Additional info:
When I try this exact same config minus the security context, the ping works.
Thus I have concluded something is incorrect when using labels. 
I did not see any avc denied messages in my /var/log/audit/audit.log
Comment 1 Joy Latten 2006-12-04 19:13:39 EST
I meant to add 2 more things.
1. That I am running selinux in permissive mode.
2. The ping does not hang but comes back with, "connect: No such process".
   This has led me to believe it cannot find the needed SA, although I have
   installed the SA.

I have also tried this on rhel5 beta2 with lspp56 kernel and get
the same results.
Comment 2 Joy Latten 2006-12-04 19:19:25 EST
In step 1., it should read 
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
Comment 3 RHEL Product and Program Management 2006-12-06 04:30:27 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
Comment 4 Issue Tracker 2006-12-12 11:13:22 EST
----- Additional Comments From latten@us.ibm.com  2006-12-11 20:56 EDT
Ok, I figured it out. In selinux_xfrm_state_pol_flow_match() we no longer
do a
"polmatch" check on the SA and policy. Instead, we do  
"if (fl->secid != state_sid)" check. This obsoleted my policy.

It is most likely that racoon will always negotiate the SA's correctly.
Racoon doesn't appear to be able to negotiate with itself for loopback to
though. So I think if you want to use labeled ipsec over loopback, you need

to make sure the SA's context exactly matches the flow's, when setting up

For ping over labeled ipsec, an SA with context,
"root:sysadm_r:ping_t:s0-s15:c0.c1023" worked 
for me. 

This event sent from IssueTracker by araghavan 
 issue 108572
Comment 5 Eric Paris 2007-01-05 15:19:45 EST
Joy, can you remind me again where we stand with this?  I believe at one point
you were going to talk with the ipsec people about making racoon talk to itself
over loopback.  Did that go anywhere?  Can you help me get back up to date after
my brain rotted during vacation?
Comment 6 Joy Latten 2007-01-23 14:46:20 EST
I queried the ipsec-tools list but did not get any helpful info. One person
stated they tried this a while back and could not get it to work. 

I started looking at the racoon code to see if it would be trivial to fix.
Did not get very far with this as I had other lspp development items at equal

Joe Nall has also been looking at the code and sent me a racoon patch he created
yesterday to look at. He says it needs more work. I will try and look at it
later today or tomorrow. 
Comment 8 Irina Boverman 2007-02-14 14:53:08 EST
Per 2/12 discussion, Joy continues to work on a patch. 
Comment 9 Eric Paris 2007-02-15 15:46:11 EST
As this is likely going to have to be a userspace patch to ipsec-tools adding
harald to ipsec-tools maintainer
Comment 10 Joy Latten 2007-02-20 13:34:29 EST
Ran a 16 hour labeled ipsec stress test with the patched racoon.
Sent streams of packets over loopback as well as eth0 to a remote to test
how racoon would work in both schemes. 

While the stress tests completed successfully, I saw what I believe to be
unusual behaviour. SAs were being created twice instead of once. So I will
continue to work on this patch.
Comment 11 George C. Wilson 2007-04-02 16:07:14 EDT
Joy will run one more day of stress testing.
Comment 12 Eric Paris 2007-04-02 16:41:12 EDT
reassigning to harald.  jlatten should be attaching a patch for ipsec-tools very
Comment 13 Joy Latten 2007-04-03 18:45:36 EDT
I have sent the patch that started off as a proof of concept from Paul Moore to
th ipsec-tools community. I have been testing for last 24 hours without
problems, but will continue to test until I feel less wary. I also would like to
hear from ipsec-tools list. 

Comment 14 Joy Latten 2007-04-05 20:30:28 EDT
Created attachment 151822 [details]
Patch that allows racoon to negotiate wih itself over loopback.

Patch sent to ipsec-tools list. Still awaiting feedback and acceptance.
This patch includes Paul Moore's proof of concept.
Comment 16 George C. Wilson 2007-04-09 16:14:32 EDT
Stress test over weekend with lspp.72 kernel and latest racoon leaks file
descriptors. Test ran 36 hours. See bug 235680.
Comment 17 George C. Wilson 2007-04-09 16:16:33 EDT
sgrubb: Got OK to build.
Comment 18 George C. Wilson 2007-04-10 11:35:27 EDT
Joy, this needs to be backported to RHEL5.
Comment 19 Steve Grubb 2007-04-10 16:33:58 EDT
built ipsec-tools-0.6.5-6.3 to address this issue.
Comment 20 George C. Wilson 2007-04-11 19:44:07 EDT
Joy, can you verify that this is fixed in a build? Thanks.
Comment 21 Joy Latten 2007-04-11 20:23:25 EDT
Ok, I just tried it and it appears to be working ok. However, I have not yet had
this accepted upstream and would rather not close this until it is accepted.
Comment 22 Issue Tracker 2007-06-27 13:32:28 EDT
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 108572

Note You need to log in before you can comment on or make changes to this bug.