Bug 443646 - AVC errors when openswan attempts to start up
AVC errors when openswan attempts to start up
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Avesh Agarwal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-22 13:33 EDT by Neil Horman
Modified: 2009-09-02 07:19 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:19:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch against refpolicy makes it quiet about openswan leaked file descriptors (2.41 KB, patch)
2008-06-05 03:55 EDT, Tuomo Soini
no flags Details | Diff

  None (edit)
Description Neil Horman 2008-04-22 13:33:56 EDT
Description of problem:
AVC denied errors are produced when openswan service is started

Version-Release number of selected component (if applicable):

openswan 2.6.11

How reproducible:
always with selinux enabled

Steps to Reproduce:
1.service ipsec start
2.service ipsec stop

  
Actual results:
on "service ipsec stop":
type=AVC msg=audit(1208877088.517:84): avc:  denied  { read write } for  
pid=3724 comm="ip" path="socket:[9064]" dev=sockfs ino=9064 
scontext=system_u:system_r:ifconfig_t:s0 
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1208877088.517:84): arch=40000003 syscall=11 
success=yes exit=0 a0=8379b98 a1=837ac90 a2=837bd58 a3=0 items=0 ppid=3723 
pid=3724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" 
subj=system_u:system_r:ifconfig_t:s0 key=(null)

on "service ipsec start":
type=AVC msg=audit(1208877097.674:85): avc:  denied  { read write } for  
pid=3904 comm="ip" path="socket:[11059]" dev=sockfs ino=11059 
scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 
tclass=unix_stream_socket
type=SYSCALL msg=audit(1208877097.674:85): arch=40000003 syscall=11 
success=yes exit=0 a0=89bf248 a1=89bf4c0 a2=89c6980 a3=0 items=0 ppid=3903 
pid=3904 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 
key=(null)
type=AVC msg=audit(1208877097.694:86): avc:  denied  { read write } for  
pid=3907 comm="ip" path="socket:[11059]" dev=sockfs ino=11059 
scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 
tclass=unix_stream_socket
type=SYSCALL msg=audit(1208877097.694:86): arch=40000003 syscall=11 
success=yes exit=0 a0=9ef2780 a1=9ef47e8 a2=9ef4938 a3=0 items=0 ppid=3906 
pid=3907 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 
key=(null)

Expected results:
No AVC errors 

Additional info:
These are the remaining errors from bz 442333.  Most fo the errors belonged to
openswan itself.  We have however patched that package to force close all
sockets on execve.  These errors are what remain, and appear to relate to
attempts to open sockets within the iproute2 utility.
Comment 1 Daniel Walsh 2008-04-22 15:29:22 EDT
I believe these are still leaked file descriptors, since I do know know how ip
would gain access to these,   Is it intentional to pass this file descriptors.
Comment 2 Daniel Walsh 2008-05-02 15:23:13 EDT
File descriptors need to be closed on exec

fcntl(fd, F_SETFD, F_CLOSEXEC)
Comment 3 Tuomo Soini 2008-06-05 03:55:45 EDT
Created attachment 308417 [details]
This patch against refpolicy makes it quiet about openswan leaked file descriptors

Of course it would be better not to leak descriptors but most of the code doing
this is shellscripts handling openswan startup and closing open filehandles
there is not easy.
Comment 4 RHEL Product and Program Management 2008-06-06 14:53:56 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Steve Grubb 2008-09-19 10:08:09 EDT
Does this problem still exist in 2.6.14?
Comment 7 Neil Horman 2008-09-19 10:37:50 EDT
I thought there we getting resolved with bz 442333, which was in 2.4.12, IIRC.  I've not tested however
Comment 8 Steve Grubb 2008-09-19 10:57:27 EDT
This is believed to be fixed.
Comment 9 pinkyred 2008-09-19 23:21:00 EDT
I tried the latest IPsec with fedora 9 (2.6.25) and see different SELinux warnings that I can't get around with local policies (they have no effect).  Is this the same bug?  (The AVC looks different).  Here are the warnings below.

I don't understand the details of the warnings...so feedback appreciated.

------------------

Summary:

SELinux is preventing pluto (ipsec_t) "create" to <Unknown> (ipsec_t).

Detailed Description:

SELinux denied access requested by pluto. It is not expected that this access is
required by pluto and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_t:s0
Target Context                unconfined_u:system_r:ipsec_t:s0
Target Objects                None [ netlink_xfrm_socket ]
Source                        pluto
Source Path                   /usr/libexec/ipsec/pluto
Port                          <Unknown>
Host                          firewall.ocg.ca
Source RPM Packages           openswan-2.6.09-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     firewall.ocg.ca
Platform                      Linux firewall.ocg.ca 2.6.25.14108b.fc9-firewall
                              #3 SMP Sun Sep 7 15:53:27 EDT 2008 i686 i686
Alert Count                   10
First Seen                    Sat Sep 13 22:52:20 2008
Last Seen                     Fri Sep 19 23:03:23 2008
Local ID                      da7f5c8c-bd85-438f-8688-92db4b8c90f4
Line Numbers                  

Raw Audit Messages            

host=firewall.ocg.ca type=AVC msg=audit(1221879803.438:44643): avc:  denied  { create } for  pid=31795 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=netlink_xfrm_socket

host=firewall.ocg.ca type=SYSCALL msg=audit(1221879803.438:44643): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe90740 a2=b8096798 a3=b809d960 items=0 ppid=31794 pid=31795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7329 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)

----------------


Summary:

SELinux is preventing pluto (ipsec_t) "setsched" to <Unknown> (ipsec_t).

Detailed Description:

SELinux denied access requested by pluto. It is not expected that this access is
required by pluto and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_t:s0
Target Context                unconfined_u:system_r:ipsec_t:s0
Target Objects                None [ process ]
Source                        pluto
Source Path                   /usr/libexec/ipsec/pluto
Port                          <Unknown>
Host                          firewall.ocg.ca
Source RPM Packages           openswan-2.6.09-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     firewall.ocg.ca
Platform                      Linux firewall.ocg.ca 2.6.25.14108b.fc9-firewall
                              #3 SMP Sun Sep 7 15:53:27 EDT 2008 i686 i686
Alert Count                   12
First Seen                    Sat Sep 13 22:52:20 2008
Last Seen                     Fri Sep 19 23:03:23 2008
Local ID                      4517e80b-7917-4d85-87f7-b3289b7176f2
Line Numbers                  

Raw Audit Messages            

host=firewall.ocg.ca type=AVC msg=audit(1221879803.404:44642): avc:  denied  { setsched } for  pid=31798 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=process

host=firewall.ocg.ca type=SYSCALL msg=audit(1221879803.404:44642): arch=40000003 syscall=97 success=no exit=-13 a0=0 a1=0 a2=a a3=8 items=0 ppid=31795 pid=31798 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7329 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
Comment 10 Daniel Walsh 2008-09-22 13:59:58 EDT
Both of these accesses are in the RHEL5 U3 policy.
Comment 11 pinkyred 2008-09-22 22:07:09 EDT
Is it possible to apply this patch to Fedora 9 (2.6.25)?  If so, could you provide some basic instructions?  Thanks
Comment 12 Steve Grubb 2008-09-23 07:02:19 EDT
In reply to comment #11, if there is a problem in F-9, you should open a bz for it. This bug is about leaked file descriptors in RHEL5. :)
Comment 16 Alexander Todorov 2009-06-12 10:36:59 EDT
Which version is this fixed in? With selinux-policy-2.4.6-242.el5 and openswan-2.6.21-3.el5 I get:

# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-152.el5xen..

type=AVC msg=audit(1244817244.464:69): avc:  denied  { sys_nice } for  pid=4519 comm="pluto" capability=23 scontext=root:system_r:ipsec_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=capability
type=SYSCALL msg=audit(1244817244.464:69): arch=c0000032 syscall=1163 success=yes exit=0 a0=11a7 a1=0 a2=60000fffffc7f148 a3=200000080080c238 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1244817244.468:70): avc:  denied  { write } for  pid=4519 comm="pluto" name="ipsec.d" dev=dm-0 ino=8522401 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir
type=SYSCALL msg=audit(1244817244.468:70): arch=c0000032 syscall=1028 success=no exit=-13 a0=20000008009a0760 a1=242 a2=180 a3=c00000000000193a items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1244817244.484:71): avc:  denied  { read } for  pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10190849 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1244817244.484:71): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4240 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1244817244.484:72): avc:  denied  { read } for  pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10420228 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1244817244.484:72): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4248 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1244817244.484:73): avc:  denied  { read } for  pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10420228 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1244817244.484:73): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4258 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1244817244.484:74): avc:  denied  { write } for  pid=4519 comm="pluto" name="ipsec.d" dev=dm-0 ino=8522401 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir
type=SYSCALL msg=audit(1244817244.484:74): arch=c0000032 syscall=1028 success=no exit=-13 a0=20000008009a89b0 a1=242 a2=180 a3=c00000000000193a items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=USER_ACCT msg=audit(1244817301.155:75): user pid=4536 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1244817301.159:76): user pid=4536 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1244817301.159:77): login pid=4536 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=8
type=USER_START msg=audit(1244817301.179:78): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1244817301.587:79): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1244817301.587:80): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

# /etc/init.d/ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!

type=AVC msg=audit(1244817358.011:81): avc:  denied  { ptrace } for  pid=4551 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_mgmt_t:s0 tclass=process
type=SYSCALL msg=audit(1244817358.011:81): arch=c0000032 syscall=1026 success=yes exit=222 a0=6 a1=20000000000a3008 a2=3ff a3=200000000008d0d0 items=0 ppid=4546 pid=4551 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
Comment 17 Daniel Walsh 2009-06-12 11:41:16 EDT
selinux-policy-2.4.6-246.el5 fixes this.
Comment 20 errata-xmlrpc 2009-09-02 07:19:41 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.