Bug 537106 - Openswan can't write to /var/log/pluto.log file
Openswan can't write to /var/log/pluto.log file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-12 09:48 EST by Aleš Mareček
Modified: 2012-10-15 10:34 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:49:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleš Mareček 2009-11-12 09:48:22 EST
Description of problem:
If you switch selinux to enforcing mode and set "plutostderrlog=/var/log/pluto.log" you'll get a message: ipsec_setup: Cannot write to directory to create "/var/log/pluto.log".

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-255.el5_4.1.noarch
openswan-2.6.21-5.el5_4.1.i386

How reproducible:
always

Steps to Reproduce:
1. install openswan
2. set variable "plutostderrlog=/var/log/pluto.log" to /etc/ipsec.conf
3. start ipsec by "service ipsec start"
  
Actual results:
ipsec writes:
ipsec_setup: Cannot write to directory to create "/var/log/pluto.log".

selinux messages:
$ sesearch -s ipsec_mgmt_t --all | grep -i log
   allow ipsec_mgmt_t devlog_t : lnk_file read ; 
   allow ipsec_mgmt_t devlog_t : sock_file { ioctl read write getattr lock append }; 
   allow ipsec_mgmt_t syslogd_t : unix_stream_socket connectto ; 
   allow ipsec_mgmt_t syslogd_t : unix_dgram_socket sendto ;

$ cat /var/log//audit/audit.log | grep "pluto.log"
type=AVC msg=audit(1257934981.359:9156): avc:  denied  { append } for  pid=32623 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1257934981.360:9157): avc:  denied  { append } for  pid=32623 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1258035524.222:16802): avc:  denied  { write } for  pid=7435 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1258035590.005:16805): avc:  denied  { append } for  pid=7588 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1258035590.005:16806): avc:  denied  { append } for  pid=7588 comm="pluto" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1258035590.119:16807): avc:  denied  { append } for  pid=7588 comm="pluto" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1258035590.134:16809): avc:  denied  { append } for  pid=7633 comm="sh" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1258035632.436:16832): avc:  denied  { add_name } for  pid=8058 comm="_plutorun" name="pluto.log" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1258035632.436:16832): avc:  denied  { create } for  pid=8058 comm="_plutorun" name="pluto.log" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1258035632.436:16833): avc:  denied  { write } for  pid=8058 comm="_plutorun" path="/var/log/pluto.log" dev=sda2 ino=12353816 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file

Expected results:
writing enabled

Additional info:
ipsec tries to write to log file but it is not allowed then it's probably redirected to /pluto.log with same result.
If you switch off selinux by "setenforce 0" openswan will react correctly with "plutostderrlog" variable in /etc/ipsec.conf and logging will start as it is expected.
Comment 1 Daniel Walsh 2009-11-12 10:16:16 EST
Could you try out the latest 5.5 policy.  Preview available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 2 Aleš Mareček 2009-11-12 10:47:34 EST
Hi Daniel,
of course i can but let me know please what package should i install from this list.
Thanks!
Comment 3 Daniel Walsh 2009-11-12 12:03:43 EST
Just grab the selinux-policy packages from the noarch directory.
Comment 4 Aleš Mareček 2009-11-13 04:42:02 EST
Tested without any success. Same state has appeared.
Comment 6 Daniel Walsh 2009-11-13 07:58:14 EST
Ok current policy does not have any coverage of log files in F12 or RHEL5.  You can 

chcon -t ipsec_var_run_t /var/log/pluto.log

And you should be able to run without any AVC messages, and get your log info.
Comment 7 Daniel Walsh 2009-11-13 08:03:55 EST
Miroslav we need to add a ipsec_log_t to RHEL5 policy

te file

type ipsec_log_t;
logging_log_file(ipsec_log_t)
...

# log files
manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)

fc file

/var/log/racoon\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
Comment 8 Aleš Mareček 2009-12-02 05:24:21 EST
FYI: Same problem with RHEL6. I suppose you know about it.
Comment 9 Daniel Walsh 2009-12-02 07:43:50 EST
Ales, If you update RHEL6 to the latest F12 Policy this should be fixed.  This should happen before the beta.
Comment 10 Miroslav Grepl 2009-12-02 09:17:01 EST
Fixed in selinux-policy-2.4.6-265.el5.noarch
Comment 11 Aleš Mareček 2009-12-03 05:04:10 EST
Daniel, i tried it on RHEL6 - same problem with log file.
Tried with policy selinux-policy-2.4.6-264.el5 (package selinux-policy-3.6.32-24.el6.noarch (which is newer than selinux-policy-2.4.6-264.el5.noarch) is already installed).
I don't know where could i get newer policy version 'http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/' contains only 264.
Comment 12 Aleš Mareček 2009-12-03 05:30:52 EST
Tested on RHEL6 with selinux-policy-3.6.32-53.fc12.noarch and selinux-policy-targeted-3.6.32-53.fc12.noarch - work fine!
But i still caught some AVCs...
----
time->Thu Dec  3 10:00:17 2009
type=SYSCALL msg=audit(1259852417.493:46363): arch=80000015 syscall=33 success=no exit=-13 a0=fff7b053930 a1=7 a2=fffcf3bd730 a3=fffffffffefefeff items=0 ppid=30954 pid=30955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4055 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1259852417.493:46363): avc:  denied  { write } for  pid=30955 comm="pluto" name="tmp" dev=dm-0 ino=32770 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Dec  3 10:00:17 2009
type=SYSCALL msg=audit(1259852417.563:46364): arch=80000015 syscall=54 success=no exit=-19 a0=14 a1=89f3 a2=fffcf3ba9b0 a3=4000 items=0 ppid=30954 pid=30955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4055 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1259852417.563:46364): avc:  denied  { sys_module } for  pid=30955 comm="pluto" capability=16 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=capability
Comment 13 Daniel Walsh 2009-12-03 10:00:51 EST
Ales, did you disable IPV6?
Comment 14 Daniel Walsh 2009-12-03 10:02:39 EST
What is pluto trying to create in /tmp?  It should be using /var/run
Comment 15 Aleš Mareček 2009-12-10 09:12:21 EST
Daniel, IPv6 is on, but the connection is created through IPv4. Do I have to disable IPv6 - why? But the good question is: why does pluto try to write to /tmp - i don't know yet. Pinging Avesh...
Comment 16 Avesh Agarwal 2009-12-10 11:08:43 EST
Hi Ales,

There is nothing much which changed between openswan-2.6.21-5.el5_4 and openswan-2.6.21-5.el5_4.1 RHEL5.4. I am wondering now why the avcs related to /tmp are showing up. I am looking into the Openswan code about it.

Thanks and Regards
Avesh
Comment 17 Daniel Walsh 2009-12-10 11:26:21 EST
Ales there is another bug report open discussing the sys_module and /tmp access request.
Comment 21 errata-xmlrpc 2010-03-30 03:49:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.