2230277 – Allow ipsec to read nsfs files

Bug 2230277 - Allow ipsec to read nsfs files

Summary: Allow ipsec to read nsfs files

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-09 08:51 UTC by Michal Ruprich
Modified:	2023-08-16 06:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-38.1.20-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1826	0	None	open	Allow ipsec read nsfs files	2023-08-10 12:42:11 UTC
Red Hat Issue Tracker	RHELPLAN-164976	0	None	None	None	2023-08-09 09:23:10 UTC

Description Michal Ruprich 2023-08-09 08:51:00 UTC

Description of problem:
While working on bug #2215346 when all the FRR related AVCs are fixed, there is a new AVC that comes from ipsec:

type=PROCTITLE msg=audit(08/08/2023 04:02:16.354:311) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=EXECVE msg=audit(08/08/2023 04:02:16.354:311) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/08/2023 04:02:16.354:311) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5568af67dbf0 a1=0x5568af67e4d0 a2=0x5568af67bd20 a3=0x8 items=0 ppid=8124 pid=8128 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/08/2023 04:02:16.354:311) : avc:  denied  { read } for  pid=8128 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-38.1.18-1.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install version of FRR with fixed SELinux denials from bug #2215346, the version of frr and frr-selinux are available here:
https://people.redhat.com/mruprich/frr-8.3.1-13.el9.x86_64.rpm
https://people.redhat.com/mruprich/frr-selinux-8.3.1-13.el9.noarch.rpm

AND 

install libreswan package as well for ipsec.

2. Change the /etc/frr/daemons file to start some daemons for frr (probably just nhrpd but you can simply start all):

# sed -i 's/=no/=yes/gi' /etc/frr/daemons
# systemctl start frr

3. Check for AVCs:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(08/09/2023 04:40:32.381:332) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=EXECVE msg=audit(08/09/2023 04:40:32.381:332) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 04:40:32.381:332) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557ff5493bf0 a1=0x557ff54944d0 a2=0x557ff5491d20 a3=0x8 items=0 ppid=7808 pid=7812 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 04:40:32.381:332) : avc:  denied  { read } for  pid=7812 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Actual results:
AVC from ipsec

Expected results:
No AVC

Comment 1 Milos Malik 2023-08-09 09:43:03 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(08/09/2023 05:41:18.078:874) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=6505535 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=1 name=/usr/bin/sh inode=4465808 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:41:18.078:874) : item=0 name=/sbin/ipsec inode=7508807 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_mgmt_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 05:41:18.078:874) : cwd=/ 
type=EXECVE msg=audit(08/09/2023 05:41:18.078:874) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 05:41:18.078:874) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55f1e9fb9bf0 a1=0x55f1e9fba4d0 a2=0x55f1e9fb7d20 a3=0x8 items=3 ppid=55071 pid=55077 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 05:41:18.078:874) : avc:  denied  { read } for  pid=55077 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 
----

# rpm -qa selinux\* libreswan\* frr\* | sort
frr-8.3.1-13.el9.x86_64
frr-selinux-8.3.1-13.el9.noarch
libreswan-4.9-4.el9_2.x86_64
selinux-policy-38.1.18-1.el9.noarch
selinux-policy-devel-38.1.18-1.el9.noarch
selinux-policy-targeted-38.1.18-1.el9.noarch
#

Comment 2 Milos Malik 2023-08-09 09:44:56 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(08/09/2023 05:43:35.952:882) : proctitle=/usr/bin/sh /sbin/ipsec --piddir 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=6505535 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=1 name=/usr/bin/sh inode=4465808 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 05:43:35.952:882) : item=0 name=/sbin/ipsec inode=7508807 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ipsec_mgmt_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 05:43:35.952:882) : cwd=/ 
type=EXECVE msg=audit(08/09/2023 05:43:35.952:882) : argc=3 a0=/usr/bin/sh a1=/sbin/ipsec a2=--piddir 
type=SYSCALL msg=audit(08/09/2023 05:43:35.952:882) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56169f28cbf0 a1=0x56169f28d4d0 a2=0x56169f28ad20 a3=0x8 items=3 ppid=55279 pid=55283 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=ipsec exe=/usr/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 05:43:35.952:882) : avc:  denied  { read } for  pid=55283 comm=ipsec path=net:[4026531840] dev="nsfs" ino=4026531840 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 
----

Comment 6 Zdenek Pytela 2023-08-11 11:07:27 UTC

Commit to backport:
643dd51a4 (HEAD -> rawhide, upstream/rawhide) Allow ipsec read nsfs files

Note You need to log in before you can comment on or make changes to this bug.