Hide Forgot
Created attachment 499181 [details] strace log of run_init service ipsec restart Description of problem: This bug is simmilar to bug 662064 but there are some differences. # run_init service ipsec start/restart command does not start ipsec. This bug prevents start/restart ipsec in MLS policy (because you have to use run_init in MLS). [root@dhcp-30-102 ~]# run_init service ipsec restart Authenticating ksrot. Password: ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled [root@dhcp-30-102 ~]# ps -ef | grep pluto root 11869 9604 0 16:47 pts/18 00:00:00 grep pluto [root@dhcp-30-102 ~]# BUT without run_init [root@dhcp-30-102 ~]# service ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled [root@dhcp-30-102 ~]# ps -ef | grep pluto root 12031 1 0 16:48 pts/18 00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid root 12032 1 0 16:48 pts/18 00:00:00 logger -s -p daemon.error -t ipsec__plutorun root 12035 12031 0 16:48 pts/18 00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid root 12036 12031 0 16:48 pts/18 00:00:00 /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post root 12038 12035 0 16:48 pts/18 00:00:00 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --stderrlog root 12066 12038 0 16:48 pts/18 00:00:00 _pluto_adns root 12086 9604 0 16:48 pts/18 00:00:00 grep pluto [root@dhcp-30-102 ~]# This is not a selinux issue, since the system is in permissive mode Version-Release number of selected component (if applicable): policycoreutils-2.0.83-19.8.el6_0.x86_64 openswan-2.6.32-4.el6.x86_64 How reproducible: always Steps to Reproduce: 1. configure ipsec on your rhel6.1 system e.g. [root@dhcp-30-102 ~]# cat /etc/ipsec.conf version 2.0 config setup protostack=netkey nat_traversal=yes plutostderrlog=/var/log/pluto.log conn host-to-host left=10.1.0.1 leftid=10.1.0.1 right=10.1.0.2 rightid=10.1.0.2 keyexchange=ike esp=3des-sha1-96 authby=secret auto=add [root@dhcp-30-102 ~]# cat /etc/ipsec.secrets include /etc/ipsec.d/*.secrets 10.1.0.1 10.1.0.2: PSK "my-secret-password" [root@dhcp-30-102 ~]# 2. # service ipsec start; ps -ef | grep pluto; service ipsec stop just to verify ipsec can start 3.# run_init service ipsec start Actual results: ipsec services do not start Additional info: [root@dhcp-30-102 ~]# run_init service ipsec start Authenticating ksrot. Password: ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled [root@dhcp-30-102 ~]# cat /var/log/messages May 16 16:55:00 dhcp-30-102 kernel: NET: Registered protocol family 15 May 16 16:55:00 dhcp-30-102 ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.10.el6.x86_64... May 16 16:55:00 dhcp-30-102 ipsec_setup: Using NETKEY(XFRM) stack May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected. May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock Hash Engine not detected. May 16 16:55:00 dhcp-30-102 kernel: Intel AES-NI instructions are not detected. May 16 16:55:00 dhcp-30-102 kernel: padlock: VIA PadLock not detected. May 16 16:55:00 dhcp-30-102 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled May 16 16:55:00 dhcp-30-102 ipsec_setup: ...Openswan IPsec started [root@dhcp-30-102 ~]# cat /var/log/pluto.log Plutorun started on Mon May 16 16:55:00 CEST 2011 [root@dhcp-30-102 ~]# service ipsec status IPsec stopped but... has subsystem lock (/var/lock/subsys/ipsec)! strace log attached
Will remove special tty handling from run_init. to make this work.
Another consequence of the same problem: * "service abrt-oops start" works as expected * "run_init service abrt-oops start" doesn't
*** This bug has been marked as a duplicate of bug 662064 ***