Bug 863839 - SELinux Policy for strongswan-NetworkManager (/usr/libexec/strongswan/charon-nm)
SELinux Policy for strongswan-NetworkManager (/usr/libexec/strongswan/charon...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-07 15:59 EDT by Thorsten Leemhuis
Modified: 2013-04-02 07:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-02 07:55:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
warnings from audit.log (11.78 KB, text/plain)
2012-10-07 15:59 EDT, Thorsten Leemhuis
no flags Details

  None (edit)
Description Thorsten Leemhuis 2012-10-07 15:59:10 EDT
Created attachment 623096 [details]
warnings from audit.log

While packaging NetworkManager-strongswan and submitting it for review (see bug 863836) I noticed that it doesn't work when SELinux is in enforcing mode. I thought it might be wise to get them fixed, but I'm not a SELinux expert and I failed to find current procedures for a situation like this in the wiki :-/

I'm attaching parts of my audit.log for reference. Using audit2allow I was able to create this to make the warnings go away:

"""
module charon-nm 1.0;

require {
	type ipsecnat_port_t;
	type NetworkManager_t;
	class netlink_xfrm_socket { bind create nlmsg_write };
	class udp_socket name_bind;
}

#============= NetworkManager_t ==============
allow NetworkManager_t ipsecnat_port_t:udp_socket name_bind;
allow NetworkManager_t self:netlink_xfrm_socket { bind create nlmsg_write };
"""

Note, that doesn't solve the problem yet, as this shows up when running in enforcing more

type=ANOM_ABEND msg=audit(1349636877.047:2589): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:NetworkManager_t:s0 pid=29480 comm="charon-nm" reason="memory violation" sig=11

That's where my selinux knowledge was at its end; any point how to solve this part of the puzzle (a link to a page gives a few hints) might be all I need to get further with fixing this.
Comment 1 Miroslav Grepl 2012-10-08 05:51:00 EDT
Could you switch to permissive mode and test it in permissive mode and then

# setenforce 0

re- test

# ausearch -m avc -ts recent
Comment 2 Daniel Walsh 2012-10-08 08:28:27 EDT
Maybe we should run this command as ipsec_t?
Comment 3 Pavel Šimerda (pavlix) 2012-10-10 01:56:52 EDT
Just a note... Using Openswan policy for Strongswan will probably not work out of the box. The two are too different from each other.
Comment 4 Miroslav Grepl 2012-10-10 04:12:17 EDT
Pavel,
could you try to execute

# setenforce 0

re- test

# ausearch -m avc -ts recent

we need to see if we get another AVC msgs.
Comment 5 Pavel Šimerda (pavlix) 2012-10-10 04:23:51 EDT
I haven't yet tried to build Thorsten's package at all. I'm only using Strongswan and that is currently unconfined except when run from the NetworkManager plugin. I don't yet even know how the plugin actually works.

I will definitely try it but it will take a bit time before I can afford to spend time with it.

Thanks for understanding.
Comment 6 Miroslav Grepl 2012-10-10 04:30:48 EDT
No problem. Thank you.
Comment 7 Thorsten Leemhuis 2012-10-14 14:34:22 EDT
Sorry for the delay

(In reply to comment #1)
> Could you switch to permissive mode and test it in permissive mode and then
> 
> # setenforce 0
> re- test
> # ausearch -m avc -ts recent

time->Sun Oct 14 20:32:39 2012
type=SYSCALL msg=audit(1350239559.908:3740): arch=c000003e syscall=59 success=yes exit=0 a0=1e1d3c0 a1=7fffbe7bc380 a2=1decb10 a3=7fffbe7bbe50 items=0 ppid=28466 pid=17792 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1350239559.908:3740): avc:  denied  { execute_no_trans } for  pid=17792 comm="NetworkManager" path="/usr/libexec/strongswan/charon-nm" dev="dm-2" ino=270923 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
Comment 8 Daniel Walsh 2012-10-16 09:44:36 EDT
/usr/libexec/strongswan/charon-nm is mislabaled.

restorecon -R -v /usr/libexec/strongswan

Is this a hard link somewhere else?
Comment 9 Thorsten Leemhuis 2013-03-30 09:14:38 EDT
(In reply to comment #8)
> /usr/libexec/strongswan/charon-nm is mislabaled.

Argh, I'm really sorry for not checking this. I relabled the whole file system (just to be sure) and ran "ausearch -m avc -ts recent" again. Now I got this:

type=SYSCALL msg=audit(1364648969.651:379): arch=c000003e syscall=44 success=yes exit=40 a0=6 a1=7f3593be57b0 a2=28 a3=0 items=0 ppid=894 pid=6264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1364648969.651:379): avc:  denied  { nlmsg_read } for  pid=6264 comm="charon-nm" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_xfrm_socket

Miroslav, Daniel, does that help? Is there anything else I can do?

P.S.: Sorry for not replying earlier, I lost track of this.
Comment 10 Daniel Walsh 2013-04-01 09:25:36 EDT
Seems to me we need some better labeling for strongswan.

ls -l /usr/libexec/strongswan/*

I think we need to label some of these files as ipsec_mgmt_exec_t or ipsec_exec_t.
Comment 11 Pavel Šimerda (pavlix) 2013-04-01 10:10:11 EDT
(In reply to comment #10)
> I think we need to label some of these files as ipsec_mgmt_exec_t or
> ipsec_exec_t.

Is it a good idea to overload Openswan/Libreswan types?
Comment 12 Daniel Walsh 2013-04-01 10:37:29 EDT
Yes, since they are doing very similar things from a security point of view.  If we get too fine grained, everything starts to fall apart and the complexity skyrockets.  I would argue that many times we have failed on this account, and need to better group like applications together.
Comment 13 Thorsten Leemhuis 2013-04-01 11:31:32 EDT
FYI, I'm still on f18, but seems in f19 and rawhide the files get ipsec_mgmt_exec_t already -- or am I reading this wrong?

[thl@thl-t420 selinux-policy]$ grep /usr/libexec/strongswan *
policy-rawhide-base.patch:+/usr/libexec/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

I ran "sudo chcon 'system_u:object_r:ipsec_mgmt_exec_t:s0' /usr/libexec/strongswan/*" and tried again -- then NM suddenly asked for a password (never did that before iirc) and "ausearch -m avc -ts recent" gave this:

----
time->Mon Apr  1 17:27:23 2013
type=SYSCALL msg=audit(1364830043.612:418): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=6 a3=7fffa8d77d60 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1364830043.612:418): avc:  denied  { create } for  pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_xfrm_socket
----
time->Mon Apr  1 17:27:23 2013
type=SYSCALL msg=audit(1364830043.613:419): arch=c000003e syscall=44 success=no exit=-13 a0=6 a1=7fffa8d77b70 a2=24 a3=0 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1364830043.613:419): avc:  denied  { nlmsg_write } for  pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
----
time->Mon Apr  1 17:27:23 2013
type=SYSCALL msg=audit(1364830043.613:420): arch=c000003e syscall=44 success=no exit=-13 a0=6 a1=7fffa8d77b70 a2=24 a3=0 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1364830043.613:420): avc:  denied  { nlmsg_write } for  pid=6885 comm="charon-nm" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
----
time->Mon Apr  1 17:27:23 2013
type=SYSCALL msg=audit(1364830043.614:421): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=7fffa8d77f20 a2=1c a3=7fffa8d77f18 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1364830043.614:421): avc:  denied  { name_bind } for  pid=6885 comm="charon-nm" src=4500 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=udp_socket
----
time->Mon Apr  1 17:27:23 2013
type=SYSCALL msg=audit(1364830043.614:422): arch=c000003e syscall=49 success=no exit=-13 a0=a a1=7fffa8d77f20 a2=10 a3=7fffa8d77f18 items=0 ppid=933 pid=6885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="charon-nm" exe="/usr/libexec/strongswan/charon-nm" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1364830043.614:422): avc:  denied  { name_bind } for  pid=6885 comm="charon-nm" src=4500 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=udp_socket

I rechecked, after a "sudo setenforce 0" I can use NetworkManager-strongswan properly again to set up a VPN connection and I'm not asked for a password.
Comment 14 Thorsten Leemhuis 2013-04-01 11:36:55 EDT
For completeness (I hope I'm not making a fool out of myself), I ran "sudo chcon 'system_u:object_r:ipsec_exec_t:s0' /usr/libexec/strongswan/*" and tried again; this time NM doesn't complain and parts of it (not all) think the VPN is up, when in fact it isn't. "ausearch -m avc -ts recent" showed this this time:
----
time->Mon Apr  1 17:36:38 2013
type=SYSCALL msg=audit(1364830598.986:495): arch=c000003e syscall=59 success=no exit=-13 a0=18c9aa0 a1=7fffef2e8bf0 a2=18b2b80 a3=8 items=0 ppid=933 pid=7462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1364830598.986:495): avc:  denied  { execute } for  pid=7462 comm="NetworkManager" name="charon-nm" dev="dm-2" ino=262935 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file
Comment 15 Daniel Walsh 2013-04-01 14:40:24 EDT
Fixed in selinux-policy-3.12.1-25.fc19.noarch

Added the transition from NetworkManager to ipsec_t through ipsec_exec_t and added all of the labels for strongswan.

Note You need to log in before you can comment on or make changes to this bug.