Description of problem: AVC denied errors are produced when openswan service is started Version-Release number of selected component (if applicable): openswan 2.6.11 How reproducible: always with selinux enabled Steps to Reproduce: 1.service ipsec start 2.service ipsec stop Actual results: on "service ipsec stop": type=AVC msg=audit(1208877088.517:84): avc: denied { read write } for pid=3724 comm="ip" path="socket:[9064]" dev=sockfs ino=9064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1208877088.517:84): arch=40000003 syscall=11 success=yes exit=0 a0=8379b98 a1=837ac90 a2=837bd58 a3=0 items=0 ppid=3723 pid=3724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) on "service ipsec start": type=AVC msg=audit(1208877097.674:85): avc: denied { read write } for pid=3904 comm="ip" path="socket:[11059]" dev=sockfs ino=11059 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1208877097.674:85): arch=40000003 syscall=11 success=yes exit=0 a0=89bf248 a1=89bf4c0 a2=89c6980 a3=0 items=0 ppid=3903 pid=3904 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1208877097.694:86): avc: denied { read write } for pid=3907 comm="ip" path="socket:[11059]" dev=sockfs ino=11059 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1208877097.694:86): arch=40000003 syscall=11 success=yes exit=0 a0=9ef2780 a1=9ef47e8 a2=9ef4938 a3=0 items=0 ppid=3906 pid=3907 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) Expected results: No AVC errors Additional info: These are the remaining errors from bz 442333. Most fo the errors belonged to openswan itself. We have however patched that package to force close all sockets on execve. These errors are what remain, and appear to relate to attempts to open sockets within the iproute2 utility.
I believe these are still leaked file descriptors, since I do know know how ip would gain access to these, Is it intentional to pass this file descriptors.
File descriptors need to be closed on exec fcntl(fd, F_SETFD, F_CLOSEXEC)
Created attachment 308417 [details] This patch against refpolicy makes it quiet about openswan leaked file descriptors Of course it would be better not to leak descriptors but most of the code doing this is shellscripts handling openswan startup and closing open filehandles there is not easy.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Does this problem still exist in 2.6.14?
I thought there we getting resolved with bz 442333, which was in 2.4.12, IIRC. I've not tested however
This is believed to be fixed.
I tried the latest IPsec with fedora 9 (2.6.25) and see different SELinux warnings that I can't get around with local policies (they have no effect). Is this the same bug? (The AVC looks different). Here are the warnings below. I don't understand the details of the warnings...so feedback appreciated. ------------------ Summary: SELinux is preventing pluto (ipsec_t) "create" to <Unknown> (ipsec_t). Detailed Description: SELinux denied access requested by pluto. It is not expected that this access is required by pluto and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ipsec_t:s0 Target Context unconfined_u:system_r:ipsec_t:s0 Target Objects None [ netlink_xfrm_socket ] Source pluto Source Path /usr/libexec/ipsec/pluto Port <Unknown> Host firewall.ocg.ca Source RPM Packages openswan-2.6.09-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name firewall.ocg.ca Platform Linux firewall.ocg.ca 2.6.25.14108b.fc9-firewall #3 SMP Sun Sep 7 15:53:27 EDT 2008 i686 i686 Alert Count 10 First Seen Sat Sep 13 22:52:20 2008 Last Seen Fri Sep 19 23:03:23 2008 Local ID da7f5c8c-bd85-438f-8688-92db4b8c90f4 Line Numbers Raw Audit Messages host=firewall.ocg.ca type=AVC msg=audit(1221879803.438:44643): avc: denied { create } for pid=31795 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=netlink_xfrm_socket host=firewall.ocg.ca type=SYSCALL msg=audit(1221879803.438:44643): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe90740 a2=b8096798 a3=b809d960 items=0 ppid=31794 pid=31795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7329 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) ---------------- Summary: SELinux is preventing pluto (ipsec_t) "setsched" to <Unknown> (ipsec_t). Detailed Description: SELinux denied access requested by pluto. It is not expected that this access is required by pluto and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ipsec_t:s0 Target Context unconfined_u:system_r:ipsec_t:s0 Target Objects None [ process ] Source pluto Source Path /usr/libexec/ipsec/pluto Port <Unknown> Host firewall.ocg.ca Source RPM Packages openswan-2.6.09-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name firewall.ocg.ca Platform Linux firewall.ocg.ca 2.6.25.14108b.fc9-firewall #3 SMP Sun Sep 7 15:53:27 EDT 2008 i686 i686 Alert Count 12 First Seen Sat Sep 13 22:52:20 2008 Last Seen Fri Sep 19 23:03:23 2008 Local ID 4517e80b-7917-4d85-87f7-b3289b7176f2 Line Numbers Raw Audit Messages host=firewall.ocg.ca type=AVC msg=audit(1221879803.404:44642): avc: denied { setsched } for pid=31798 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=process host=firewall.ocg.ca type=SYSCALL msg=audit(1221879803.404:44642): arch=40000003 syscall=97 success=no exit=-13 a0=0 a1=0 a2=a a3=8 items=0 ppid=31795 pid=31798 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7329 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
Both of these accesses are in the RHEL5 U3 policy.
Is it possible to apply this patch to Fedora 9 (2.6.25)? If so, could you provide some basic instructions? Thanks
In reply to comment #11, if there is a problem in F-9, you should open a bz for it. This bug is about leaked file descriptors in RHEL5. :)
Which version is this fixed in? With selinux-policy-2.4.6-242.el5 and openswan-2.6.21-3.el5 I get: # /etc/init.d/ipsec start ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-152.el5xen.. type=AVC msg=audit(1244817244.464:69): avc: denied { sys_nice } for pid=4519 comm="pluto" capability=23 scontext=root:system_r:ipsec_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=capability type=SYSCALL msg=audit(1244817244.464:69): arch=c0000032 syscall=1163 success=yes exit=0 a0=11a7 a1=0 a2=60000fffffc7f148 a3=200000080080c238 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1244817244.468:70): avc: denied { write } for pid=4519 comm="pluto" name="ipsec.d" dev=dm-0 ino=8522401 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir type=SYSCALL msg=audit(1244817244.468:70): arch=c0000032 syscall=1028 success=no exit=-13 a0=20000008009a0760 a1=242 a2=180 a3=c00000000000193a items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1244817244.484:71): avc: denied { read } for pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10190849 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1244817244.484:71): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4240 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1244817244.484:72): avc: denied { read } for pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10420228 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1244817244.484:72): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4248 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1244817244.484:73): avc: denied { read } for pid=4519 comm="pluto" name="tmp" dev=dm-0 ino=10420228 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1244817244.484:73): arch=c0000032 syscall=1028 success=no exit=-13 a0=2000000800bc4258 a1=0 a2=1b6 a3=591181 items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1244817244.484:74): avc: denied { write } for pid=4519 comm="pluto" name="ipsec.d" dev=dm-0 ino=8522401 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir type=SYSCALL msg=audit(1244817244.484:74): arch=c0000032 syscall=1028 success=no exit=-13 a0=20000008009a89b0 a1=242 a2=180 a3=c00000000000193a items=0 ppid=4516 pid=4519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=USER_ACCT msg=audit(1244817301.155:75): user pid=4536 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1244817301.159:76): user pid=4536 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=LOGIN msg=audit(1244817301.159:77): login pid=4536 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=8 type=USER_START msg=audit(1244817301.179:78): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_DISP msg=audit(1244817301.587:79): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_END msg=audit(1244817301.587:80): user pid=4536 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' # /etc/init.d/ipsec status IPsec stopped but... has subsystem lock (/var/lock/subsys/ipsec)! type=AVC msg=audit(1244817358.011:81): avc: denied { ptrace } for pid=4551 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_mgmt_t:s0 tclass=process type=SYSCALL msg=audit(1244817358.011:81): arch=c0000032 syscall=1026 success=yes exit=222 a0=6 a1=20000000000a3008 a2=3ff a3=200000000008d0d0 items=0 ppid=4546 pid=4551 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
selinux-policy-2.4.6-246.el5 fixes this.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html