Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 705077

Summary: cannot start ipsec using run_init
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: avagarwa, dwalsh, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-08 14:40:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 682670    
Attachments:
Description Flags
strace log of run_init service ipsec restart none

Description Karel Srot 2011-05-16 15:05:49 UTC 
Created attachment 499181 [details]
strace log of  run_init service ipsec restart

Description of problem:

This bug is simmilar to bug 662064 but there are some differences.

# run_init service ipsec start/restart

command does not start ipsec. This bug prevents start/restart ipsec in MLS policy (because you have to use run_init in MLS).

[root@dhcp-30-102 ~]# run_init service ipsec restart
Authenticating ksrot.
Password: 
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# ps -ef | grep pluto
root     11869  9604  0 16:47 pts/18   00:00:00 grep pluto
[root@dhcp-30-102 ~]#

BUT without run_init
 
[root@dhcp-30-102 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# ps -ef | grep pluto
root     12031     1  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog /var/log/pluto.log --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
root     12032     1  0 16:48 pts/18   00:00:00 logger -s -p daemon.error -t ipsec__plutorun
root     12035 12031  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private  --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog /var/log/pluto.log --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
root     12036 12031  0 16:48 pts/18   00:00:00 /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post 
root     12038 12035  0 16:48 pts/18   00:00:00 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --stderrlog
root     12066 12038  0 16:48 pts/18   00:00:00 _pluto_adns
root     12086  9604  0 16:48 pts/18   00:00:00 grep pluto
[root@dhcp-30-102 ~]#

This is not a selinux issue, since the system is in permissive mode

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-19.8.el6_0.x86_64
openswan-2.6.32-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. configure ipsec on your rhel6.1 system
e.g. 
[root@dhcp-30-102 ~]# cat /etc/ipsec.conf
version    2.0

config setup
    protostack=netkey
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

conn host-to-host
    left=10.1.0.1
    leftid=10.1.0.1
    right=10.1.0.2
    rightid=10.1.0.2
    keyexchange=ike
    esp=3des-sha1-96
    authby=secret
    auto=add
[root@dhcp-30-102 ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

10.1.0.1 10.1.0.2: PSK "my-secret-password"
[root@dhcp-30-102 ~]#

2. # service ipsec start; ps -ef | grep pluto; service ipsec stop 
just to verify ipsec can start

3.# run_init service ipsec start

  
Actual results:
ipsec services do not start


Additional info:

[root@dhcp-30-102 ~]# run_init service ipsec start
Authenticating ksrot.
Password: 
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@dhcp-30-102 ~]# cat /var/log/messages

May 16 16:55:00 dhcp-30-102 kernel: NET: Registered protocol family 15
May 16 16:55:00 dhcp-30-102 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64...
May 16 16:55:00 dhcp-30-102 ipsec_setup: Using NETKEY(XFRM) stack
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected.
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock Hash Engine not detected.
May 16 16:55:00 dhcp-30-102 kernel: Intel AES-NI instructions are not detected.
May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected.
May 16 16:55:00 dhcp-30-102 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
May 16 16:55:00 dhcp-30-102 ipsec_setup: ...Openswan IPsec started
[root@dhcp-30-102 ~]# cat /var/log/pluto.log 
Plutorun started on Mon May 16 16:55:00 CEST 2011
[root@dhcp-30-102 ~]# service ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!

strace log attached
Comment 1 Daniel Walsh 2011-06-14 12:26:29 UTC 
Will remove special tty handling from run_init. to make this work.
Comment 2 Milos Malik 2011-08-25 13:32:21 UTC 
Another consequence of the same problem:
* "service abrt-oops start" works as expected
* "run_init service abrt-oops start" doesn't
Comment 3 Miroslav Grepl 2011-09-08 14:40:00 UTC 

*** This bug has been marked as a duplicate of bug 662064 ***