Created attachment 623096 [details] warnings from audit.log While packaging NetworkManager-strongswan and submitting it for review (see bug 863836) I noticed that it doesn't work when SELinux is in enforcing mode. I thought it might be wise to get them fixed, but I'm not a SELinux expert and I failed to find current procedures for a situation like this in the wiki :-/ I'm attaching parts of my audit.log for reference. Using audit2allow I was able to create this to make the warnings go away: """ module charon-nm 1.0; require { type ipsecnat_port_t; type NetworkManager_t; class netlink_xfrm_socket { bind create nlmsg_write }; class udp_socket name_bind; } #============= NetworkManager_t ============== allow NetworkManager_t ipsecnat_port_t:udp_socket name_bind; allow NetworkManager_t self:netlink_xfrm_socket { bind create nlmsg_write }; """ Note, that doesn't solve the problem yet, as this shows up when running in enforcing more type=ANOM_ABEND msg=audit(1349636877.047:2589): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:NetworkManager_t:s0 pid=29480 comm="charon-nm" reason="memory violation" sig=11 That's where my selinux knowledge was at its end; any point how to solve this part of the puzzle (a link to a page gives a few hints) might be all I need to get further with fixing this.
Could you switch to permissive mode and test it in permissive mode and then # setenforce 0 re- test # ausearch -m avc -ts recent
Maybe we should run this command as ipsec_t?
Just a note... Using Openswan policy for Strongswan will probably not work out of the box. The two are too different from each other.
Pavel, could you try to execute # setenforce 0 re- test # ausearch -m avc -ts recent we need to see if we get another AVC msgs.
I haven't yet tried to build Thorsten's package at all. I'm only using Strongswan and that is currently unconfined except when run from the NetworkManager plugin. I don't yet even know how the plugin actually works. I will definitely try it but it will take a bit time before I can afford to spend time with it. Thanks for understanding.
No problem. Thank you.
Sorry for the delay (In reply to comment #1) > Could you switch to permissive mode and test it in permissive mode and then > > # setenforce 0 > re- test > # ausearch -m avc -ts recent time->Sun Oct 14 20:32:39 2012 type=SYSCALL msg=audit(1350239559.908:3740): arch=c000003e syscall=59 success=yes exit=0 a0=1e1d3c0 a1=7fffbe7bc380 a2=1decb10 a3=7fffbe7bbe50 items=0 ppid=28466 pid=17792 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1350239559.908:3740): avc: denied { execute_no_trans } for pid=17792 comm="NetworkManager" path="/usr/libexec/strongswan/charon-nm" dev="dm-2" ino=270923 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
/usr/libexec/strongswan/charon-nm is mislabaled. restorecon -R -v /usr/libexec/strongswan Is this a hard link somewhere else?
(In reply to comment #8) > /usr/libexec/strongswan/charon-nm is mislabaled. Argh, I'm really sorry for not checking this. I relabled the whole file system (just to be sure) and ran "ausearch -m avc -ts recent" again. Now I got this: type=SYSCALL msg=audit(1364648969.651:379): arch=c000003e syscall=44 success=yes exit=40 a0=6 a1=7f3593be57b0 a2=28 a3=0 items=0 ppid=894 pid=6264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1364648969.651:379): avc: denied { nlmsg_read } for pid=6264 comm="charon-nm" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_xfrm_socket Miroslav, Daniel, does that help? Is there anything else I can do? P.S.: Sorry for not replying earlier, I lost track of this.
Seems to me we need some better labeling for strongswan. ls -l /usr/libexec/strongswan/* I think we need to label some of these files as ipsec_mgmt_exec_t or ipsec_exec_t.
(In reply to comment #10) > I think we need to label some of these files as ipsec_mgmt_exec_t or > ipsec_exec_t. Is it a good idea to overload Openswan/Libreswan types?
Yes, since they are doing very similar things from a security point of view. If we get too fine grained, everything starts to fall apart and the complexity skyrockets. I would argue that many times we have failed on this account, and need to better group like applications together.
FYI, I'm still on f18, but seems in f19 and rawhide the files get ipsec_mgmt_exec_t already -- or am I reading this wrong? [thl@thl-t420 selinux-policy]$ grep /usr/libexec/strongswan * policy-rawhide-base.patch:+/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) I ran "sudo chcon 'system_u:object_r:ipsec_mgmt_exec_t:s0' /usr/libexec/strongswan/*" and tried again -- then NM suddenly asked for a password (never did that before iirc) and "ausearch -m avc -ts recent" gave this: ---- time->Mon Apr 1 17:27:23 2013 type=SYSCALL msg=audit(1364830043.612:418): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=6 a3=7fffa8d77d60 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1364830043.612:418): avc: denied { create } for pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket ---- time->Mon Apr 1 17:27:23 2013 type=SYSCALL msg=audit(1364830043.613:419): arch=c000003e syscall=44 success=no exit=-13 a0=6 a1=7fffa8d77b70 a2=24 a3=0 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1364830043.613:419): avc: denied { nlmsg_write } for pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket ---- time->Mon Apr 1 17:27:23 2013 type=SYSCALL msg=audit(1364830043.613:420): arch=c000003e syscall=44 success=no exit=-13 a0=6 a1=7fffa8d77b70 a2=24 a3=0 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1364830043.613:420): avc: denied { nlmsg_write } for pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket ---- time->Mon Apr 1 17:27:23 2013 type=SYSCALL msg=audit(1364830043.614:421): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=7fffa8d77f20 a2=1c a3=7fffa8d77f18 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1364830043.614:421): avc: denied { name_bind } for pid=6885 comm="charon-nm" src=4500 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=udp_socket ---- time->Mon Apr 1 17:27:23 2013 type=SYSCALL msg=audit(1364830043.614:422): arch=c000003e syscall=49 success=no exit=-13 a0=a a1=7fffa8d77f20 a2=10 a3=7fffa8d77f18 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1364830043.614:422): avc: denied { name_bind } for pid=6885 comm="charon-nm" src=4500 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=udp_socket I rechecked, after a "sudo setenforce 0" I can use NetworkManager-strongswan properly again to set up a VPN connection and I'm not asked for a password.
For completeness (I hope I'm not making a fool out of myself), I ran "sudo chcon 'system_u:object_r:ipsec_exec_t:s0' /usr/libexec/strongswan/*" and tried again; this time NM doesn't complain and parts of it (not all) think the VPN is up, when in fact it isn't. "ausearch -m avc -ts recent" showed this this time: ---- time->Mon Apr 1 17:36:38 2013 type=SYSCALL msg=audit(1364830598.986:495): arch=c000003e syscall=59 success=no exit=-13 a0=18c9aa0 a1=7fffef2e8bf0 a2=18b2b80 a3=8 items=0 ppid=933 pid=7462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1364830598.986:495): avc: denied { execute } for pid=7462 comm="NetworkManager" name="charon-nm" dev="dm-2" ino=262935 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file
Fixed in selinux-policy-3.12.1-25.fc19.noarch Added the transition from NetworkManager to ipsec_t through ipsec_exec_t and added all of the labels for strongswan.