Bug 515687 - MLS selinux-policy: setkey executed from initrc_t from if{up,down}-ipsec fails to set policies
MLS selinux-policy: setkey executed from initrc_t from if{up,down}-ipsec fail...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE
: Regression, ZStream
Depends On: 500395
Blocks: 538503
  Show dependency treegraph
 
Reported: 2009-08-05 07:35 EDT by Eduard Benes
Modified: 2010-03-30 03:49 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-267.el5.noarch
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 500395
Environment:
Last Closed: 2010-03-30 03:49:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 1 Eduard Benes 2009-08-05 07:54:40 EDT
Re-testing the original bug but in a MLS policy type revealed a regression caused by the current fix for bug 500395. Setroubleshoot daemon does not produce anything because of bug 

MLS in enforcing mode (something seems to be don't audited):
<snip>
[root@dhcp-lab-232 /]# ifup ipsec1
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Missing config file ifcfg-ifcfg-ipsec1.
[root@dhcp-lab-232 /]# ausearch -m avc -ts 13:30
<no matches>
</snip>

MLS in permissive mode:
<snip>
[root@dhcp-lab-232 /]# ifup ipsec1
[root@dhcp-lab-232 /]# ausearch -m avc -ts recent
----
time->Wed Aug  5 13:41:44 2009
type=SYSCALL msg=audit(1249472504.892:354617): arch=40000003 syscall=11 success=yes exit=0 a0=bf84bca9 a1=bf84bb18 a2=9af7858 a3=5 items=0 ppid=9548 pid=9553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="auditd" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1249472504.892:354617): avc:  denied  { execute_no_trans } for  pid=9553 comm="env" path="/etc/rc.d/init.d/auditd" dev=dm-0 ino=426463 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_script_exec_t:s0 tclass=file
----
time->Wed Aug  5 13:47:21 2009
type=SYSCALL msg=audit(1249472841.638:354619): arch=40000003 syscall=11 success=yes exit=0 a0=9ddccc0 a1=9db6660 a2=9db6238 a3=0 items=0 ppid=9566 pid=9584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="setkey" exe="/sbin/setkey" subj=root:sysadm_r:setkey_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1249472841.638:354619): avc:  denied  { read } for  pid=9584 comm="setkey" path=2F746D702F73682D7468642D31323439343535303636202864656C6574656429 dev=dm-0 ino=229380 scontext=root:sysadm_r:setkey_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tmp_t:s0 tclass=file
----
time->Wed Aug  5 13:47:21 2009
type=SYSCALL msg=audit(1249472841.463:354618): arch=40000003 syscall=11 success=yes exit=0 a0=9336ce8 a1=9338d38 a2=93378f0 a3=9338d38 items=0 ppid=8872 pid=9566 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="ifup-ipsec" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1249472841.463:354618): avc:  denied  { execute_no_trans } for  pid=9566 comm="ifup" path="/etc/sysconfig/network-scripts/ifup-ipsec" dev=dm-0 ino=426629 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
----
time->Wed Aug  5 13:47:22 2009
type=SYSCALL msg=audit(1249472842.116:354620): arch=40000003 syscall=197 success=yes exit=0 a0=0 a1=bfe053f8 a2=c55ff4 a3=c56420 items=0 ppid=9566 pid=9584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="setkey" exe="/sbin/setkey" subj=root:sysadm_r:setkey_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1249472842.116:354620): avc:  denied  { getattr } for  pid=9584 comm="setkey" path=2F746D702F73682D7468642D31323439343535303636202864656C6574656429 dev=dm-0 ino=229380 scontext=root:sysadm_r:setkey_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tmp_t:s0 tclass=file
[root@dhcp-lab-232 /]# ausearch -m avc -ts recent | audit2allow


#============= setkey_t ==============
allow setkey_t sysadm_tmp_t:file { read getattr };

#============= sysadm_t ==============
allow sysadm_t auditd_script_exec_t:file execute_no_trans;
allow sysadm_t initrc_exec_t:file execute_no_trans;
</snip>
Comment 2 Daniel Walsh 2009-08-05 14:31:17 EDT
In an MLS machine sysadm_t is not allowed to deal with auditd,  You need to be auditadm_t.

Also restarting init scripts has to be done with run_init

run_init system auditd restart

Since the code did not transition you end up with setkey trying to read temporary data created via sysadm_t which causes the problem.
Comment 3 Eduard Benes 2009-08-06 11:18:44 EDT
Here are results from testing in *strict* mode, with turned off don't audit rules using 'semodule -DB'. And going to retest the same way in MLS.

$ ssh -l root dhcp-lab-232
root@dhcp-lab-232's password: 
Last login: Thu Aug  6 16:55:06 2009
-bash: /root/.bash_profile: Permission denied
-bash-3.2# newrole -r sysadm_r
Password: 
[root@dhcp-lab-232 ~]# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root@dhcp-lab-232 ~]# semodule -B
[root@dhcp-lab-232 ~]# date
Thu Aug  6 17:07:07 CEST 2009
[root@dhcp-lab-232 ~]# ifup ipsec1
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Missing config file ifcfg-ifcfg-ipsec1.
[root@dhcp-lab-232 ~]# getenforce 
Enforcing
[root@dhcp-lab-232 ~]# grep TYPE /etc/selinux/config 
SELINUXTYPE=strict
[root@dhcp-lab-232 ~]# ausearch -m avc -ts 17:07:07 -sv no
----
time->Thu Aug  6 17:07:14 2009
type=SYSCALL msg=audit(1249571234.496:198): arch=40000003 syscall=33 success=no exit=-13 a0=9bca8c0 a1=1 a2=c55ff4 a3=0 items=0 ppid=2786 pid=2862 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifup" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1249571234.496:198): avc:  denied  { execute } for  pid=2862 comm="ifup" name="ifup-ipsec" dev=dm-0 ino=426629 scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
----
time->Thu Aug  6 17:07:14 2009
type=SYSCALL msg=audit(1249571234.742:208): arch=40000003 syscall=5 success=no exit=-13 a0=d09bb0 a1=8000 a2=1b6 a3=8cec008 items=0 ppid=2905 pid=2906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifconfig" exe="/sbin/ifconfig" subj=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1249571234.742:208): avc:  denied  { search } for  pid=2906 comm="ifconfig" name="selinux" dev=dm-0 ino=426428 scontext=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
----
time->Thu Aug  6 17:07:14 2009
type=SYSCALL msg=audit(1249571234.744:209): arch=40000003 syscall=5 success=no exit=-13 a0=bfe54674 a1=8000 a2=0 a3=8000 items=0 ppid=2905 pid=2906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifconfig" exe="/sbin/ifconfig" subj=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1249571234.744:209): avc:  denied  { search } for  pid=2906 comm="ifconfig" name="/" dev=selinuxfs ino=336 scontext=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir

[root@dhcp-lab-232 ~]# ausearch -m avc -ts 17:07:07 -sv no | audit2allow
#============= ifconfig_t ==============
allow ifconfig_t security_t:dir search;
allow ifconfig_t selinux_config_t:dir search;

#============= sysadm_t ==============
allow sysadm_t initrc_exec_t:file execute
Comment 4 Eduard Benes 2009-08-06 12:18:46 EDT
The issue is with the context of ifup-ipsec script after changes to fix the original bug.

Here is the AVC cought with disabled don't audit rules (semodule -DB).
If enabled, all following AVC are surpressed.

#============= sysadm_t ==============
allow sysadm_t initrc_exec_t:file execute 

<snip>
time->Thu Aug  6 17:07:14 2009
type=SYSCALL msg=audit(1249571234.496:198): arch=40000003 syscall=33 success=no
exit=-13 a0=9bca8c0 a1=1 a2=c55ff4 a3=0 items=0 ppid=2786 pid=2862 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifup"
exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1249571234.496:198): avc:  denied  { execute } for  pid=2862
comm="ifup" name="ifup-ipsec" dev=dm-0 ino=426629
scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
</snip>

If I change the context of ifup-ipsec script back to bin_t it works as before. Therefore it is a regression.
Comment 6 Eduard Benes 2009-08-07 08:11:54 EDT
> How about if you execute
> run_init ifup-ipsec

  No, it does not work. 

> If you just add
> allow sysadm_t initrc_exec_t:file execute 
> to policy via audit2allow -M mypol
> Does that solve the problem?  


Adding following custom module allows the "ifup ipsec1" to run, but
still prevents it from killing already running instance. Also had to add
execute_no_trans rule to the custom policy.

time->Fri Aug  7 14:01:12 2009
type=SYSCALL msg=audit(1249646472.553:5737): arch=40000003 syscall=195 success=no exit=-13 a0=9062080 a1=bfed1c54 a2=c55ff4 a3=bfed0fcc items=0 ppid=3503 pid=3553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="killall" exe="/usr/bin/killall" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1249646472.553:5737): avc:  denied  { ptrace } for  pid=3553 comm="killall" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:racoon_t:s0-s15:c0.c1023 tclass=process

# cat mypol.te 
policy_module(mypol,1.0.0)
require{
	type sysadm_t; 
	type initrc_exec_t;

}
allow sysadm_t initrc_exec_t : file { execute_no_trans execute } ;
Comment 9 Daniel Walsh 2009-08-10 10:30:42 EDT
Fixed in selinux-policy-2.4.6-256.el5
Comment 12 Eduard Benes 2009-12-10 11:23:05 EST
Following denial still blocks the expected functionality, and is shown only after
rebuild with "semodule -DB":

#============= setkey_t ==============
allow setkey_t sysadm_tmp_t:file { read getattr };


After adding custom policy module as follows make it work again:

# cat my.te 
policy_module(mypol,1.0.0)
require{
 type setkey_t; 
 type sysadm_tmp_t; 

}
allow setkey_t sysadm_tmp_t:file { read getattr };
# make -f /usr/share/selinux/devel/Makefile
Comment 13 Daniel Walsh 2009-12-10 11:40:35 EST
Does the script create a file in /tmp which is then read by setkey?

Even in F12 we don't allow setkey to read tmp files.

Is this just a test avc or is it real.
Comment 14 Daniel Walsh 2009-12-10 12:56:09 EST
Miroslav, I think adding

userdom_read_unpriv_users_tmp_files(setkey_t)

Will solve this problem.
Comment 15 Eduard Benes 2009-12-10 14:56:05 EST
(In reply to comment #13)
> Does the script create a file in /tmp which is then read by setkey?
> 
> Even in F12 we don't allow setkey to read tmp files.
> 
> Is this just a test avc or is it real.  

I think Tomas Mraz is propably the right person to answer the question about setkey creating file in /tmp. 

This is an AVC denial recorded in Permissive MLS with don't audit rules disabled.
And it seemt o prevent 'ifup ipsec1' from running correctly. The setup is really simple and follows instructions in Deployment Guide as instructed in comment #0.
Comment 16 Daniel Walsh 2009-12-10 15:19:42 EST
Seems plausible, probably has something to do with redirection in the shell

setkey << __EOF
blah
blah
__EOF

could cause it.
Comment 17 Eduard Benes 2009-12-11 04:46:48 EST
(In reply to comment #14)
> Miroslav, I think adding
> 
> userdom_read_unpriv_users_tmp_files(setkey_t)
> 
> Will solve this problem.  

Unfortunately this does not work either if I put it in a local policy package.
The same AVC denial as in comment #12 is present.
Comment 19 Eduard Benes 2009-12-11 09:22:13 EST
Everything seems to work if I use this:

# cat my.if my.te -n
     1	interface(`userdom_read_sysadm_tmp_files',`
     2	  gen_require(`
     3	    type sysadm_tmp_t;
     4	  ')
     5	  allow $1 sysadm_tmp_t:file { read getattr };
     6	')
     7	

     8	policy_module(mysetkey,1.0.0)
     9	
    10	gen_require(`
    11	  type setkey_t;
    12	')
    13	
    14	userdom_read_sysadm_tmp_files(setkey_t);
Comment 22 Miroslav Grepl 2009-12-21 06:28:34 EST
Fixed in selinux-policy-2.4.6-267.el5.noarch
Comment 24 Milos Malik 2010-02-22 10:41:51 EST
(In reply to comment #6)

> Adding following custom module allows the "ifup ipsec1" to run, but
> still prevents it from killing already running instance. Also had to add
> execute_no_trans rule to the custom policy.

The problem has been filed as a separated bug ( https://bugzilla.redhat.com/show_bug.cgi?id=567295 ), because it has more to do with killall and /proc than with ipsec.
Comment 27 errata-xmlrpc 2010-03-30 03:49:09 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.