This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 591975 - SELinux denies write and read to socket during openswan connection
SELinux denies write and read to socket during openswan connection
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4.z
All Linux
high Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-13 11:20 EDT by Aleš Mareček
Modified: 2011-01-13 16:49 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:49:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleš Mareček 2010-05-13 11:20:34 EDT
Description of problem:
SELinux denies write and read to socket during openswan connection. See avc message:
---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.492:31467): arch=14 syscall=11 success=yes exit=0 a0=7cd896c a1=ffce8de4 a2=ffcef9b8 a3=ffcea84c items=0 ppid=31026 pid=31223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="sh" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561930]" dev=sockfs ino=1561930 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561929]" dev=sockfs ino=1561929 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket ---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.511:31468): arch=14 syscall=11 success=yes exit=0 a0=100e7cd0 a1=100e86e0 a2=100edbb0 a3=0 items=0 ppid=31224 pid=31225 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file ----

Version-Release number of selected component (if applicable):
openswan-2.6.21-5.el5_4.3 and older

How reproducible:
Always

Steps to Reproduce:
1. Turn on the selinux, configure openswan, for example like following.
setenforce 1

/etc/ipsec.conf:
version 2.0

config setup
	crlcheckinterval="180"
	strictcrlpolicy=no
	protostack=netkey
	interfaces=%defaultroute
	plutodebug=all

conn host-host
	auto=add
	auth=esp
	authby=secret
	left=<left machine ip>
	right=<right machine ip>

/etc/ipsec.secrets:
: PSK "secret"

* on second machine change IPs (left and right)

2. Restart openswan.
service ipsec restart (both sides)
ipsec auto --up host-host (left side)
3. See avc messages.
ausearch -m avc -ts recent
  
Actual results:
Avc messages found.

Expected results:
No avc messages.

Additional info:
Comment 2 Daniel Walsh 2010-05-14 09:12:53 EDT
THis is either a leaked file descriptor from openswan or a redirection of stdout or stderr.

In RHEL6 audit2allow reports.

audit2allow -i /tmp/t


#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy

allow ifconfig_t ipsec_t:fifo_file write;

#============= ipsec_mgmt_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }

Miroslav can  you see if these rules are in 5.5 policy?
Comment 3 Daniel Walsh 2010-05-14 09:16:05 EDT
Does not look like these are in RHEL5 yet.  

Miroslav, Please backport the fixes in sysnetwork.if and ipsec.te
Comment 4 Miroslav Grepl 2010-07-22 05:22:42 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 7 Jaromir Hradilek 2011-01-05 11:14:51 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
Comment 9 errata-xmlrpc 2011-01-13 16:49:34 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.