Bug 591975 - SELinux denies write and read to socket during openswan connection
Summary: SELinux denies write and read to socket during openswan connection
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.4.z
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-13 15:20 UTC by Aleš Mareček
Modified: 2011-01-13 21:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 21:49:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Aleš Mareček 2010-05-13 15:20:34 UTC
Description of problem:
SELinux denies write and read to socket during openswan connection. See avc message:
---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.492:31467): arch=14 syscall=11 success=yes exit=0 a0=7cd896c a1=ffce8de4 a2=ffcef9b8 a3=ffcea84c items=0 ppid=31026 pid=31223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="sh" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561930]" dev=sockfs ino=1561930 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561929]" dev=sockfs ino=1561929 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket ---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.511:31468): arch=14 syscall=11 success=yes exit=0 a0=100e7cd0 a1=100e86e0 a2=100edbb0 a3=0 items=0 ppid=31224 pid=31225 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file ----

Version-Release number of selected component (if applicable):
openswan-2.6.21-5.el5_4.3 and older

How reproducible:
Always

Steps to Reproduce:
1. Turn on the selinux, configure openswan, for example like following.
setenforce 1

/etc/ipsec.conf:
version 2.0

config setup
	crlcheckinterval="180"
	strictcrlpolicy=no
	protostack=netkey
	interfaces=%defaultroute
	plutodebug=all

conn host-host
	auto=add
	auth=esp
	authby=secret
	left=<left machine ip>
	right=<right machine ip>

/etc/ipsec.secrets:
: PSK "secret"

* on second machine change IPs (left and right)

2. Restart openswan.
service ipsec restart (both sides)
ipsec auto --up host-host (left side)
3. See avc messages.
ausearch -m avc -ts recent
  
Actual results:
Avc messages found.

Expected results:
No avc messages.

Additional info:

Comment 2 Daniel Walsh 2010-05-14 13:12:53 UTC
THis is either a leaked file descriptor from openswan or a redirection of stdout or stderr.

In RHEL6 audit2allow reports.

audit2allow -i /tmp/t


#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy

allow ifconfig_t ipsec_t:fifo_file write;

#============= ipsec_mgmt_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }

Miroslav can  you see if these rules are in 5.5 policy?

Comment 3 Daniel Walsh 2010-05-14 13:16:05 UTC
Does not look like these are in RHEL5 yet.  

Miroslav, Please backport the fixes in sysnetwork.if and ipsec.te

Comment 4 Miroslav Grepl 2010-07-22 09:22:42 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 7 Jaromir Hradilek 2011-01-05 16:14:51 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.

Comment 9 errata-xmlrpc 2011-01-13 21:49:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.