Description of problem: SELinux denies write and read to socket during openswan connection. See avc message: ---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.492:31467): arch=14 syscall=11 success=yes exit=0 a0=7cd896c a1=ffce8de4 a2=ffcef9b8 a3=ffcea84c items=0 ppid=31026 pid=31223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="sh" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561930]" dev=sockfs ino=1561930 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561929]" dev=sockfs ino=1561929 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket ---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.511:31468): arch=14 syscall=11 success=yes exit=0 a0=100e7cd0 a1=100e86e0 a2=100edbb0 a3=0 items=0 ppid=31224 pid=31225 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file ---- Version-Release number of selected component (if applicable): openswan-2.6.21-5.el5_4.3 and older How reproducible: Always Steps to Reproduce: 1. Turn on the selinux, configure openswan, for example like following. setenforce 1 /etc/ipsec.conf: version 2.0 config setup crlcheckinterval="180" strictcrlpolicy=no protostack=netkey interfaces=%defaultroute plutodebug=all conn host-host auto=add auth=esp authby=secret left=<left machine ip> right=<right machine ip> /etc/ipsec.secrets: : PSK "secret" * on second machine change IPs (left and right) 2. Restart openswan. service ipsec restart (both sides) ipsec auto --up host-host (left side) 3. See avc messages. ausearch -m avc -ts recent Actual results: Avc messages found. Expected results: No avc messages. Additional info:
THis is either a leaked file descriptor from openswan or a redirection of stdout or stderr. In RHEL6 audit2allow reports. audit2allow -i /tmp/t #============= ifconfig_t ============== #!!!! This avc is allowed in the current policy allow ifconfig_t ipsec_t:fifo_file write; #============= ipsec_mgmt_t ============== #!!!! This avc has a dontaudit rule in the current policy allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write } Miroslav can you see if these rules are in 5.5 policy?
Does not look like these are in RHEL5 yet. Miroslav, Please backport the fixes in sysnetwork.if and ipsec.te
Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html