903638 – SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random.

Bug 903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random.

Summary: SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	strongswan
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Pavel Šimerda (pavlix)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f53e6748cfb2c340b0232ad4072...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-24 13:14 UTC by Jeremy Beker
Modified:	2014-04-04 09:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	strongswan-5.1.2-4.fc20
Clone Of:
Environment:
Last Closed:	2014-04-04 09:42:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File list from FC18 strongswan package. (2.84 KB, text/plain) 2013-01-25 14:59 UTC, Jeremy Beker	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
strongSwan	519	0	None	None	None	Never

Description Jeremy Beker 2013-01-24 13:14:51 UTC

Description of problem:
When strongswan makes an IKEv2 connection, selinux warns during iptables rule insertion.
SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xtables-multi should be allowed read access on the random chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                /dev/random [ chr_file ]
Source                        iptables
Source Path                   /usr/sbin/xtables-multi
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iptables-1.4.16.2-5.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-67.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed
                              Jan 16 16:22:52 UTC 2013 x86_64 x86_64
Alert Count                   420
First Seen                    2013-01-21 08:47:40 EST
Last Seen                     2013-01-24 08:11:35 EST
Local ID                      463f5b00-7fa2-4d69-b519-755dea0aeddc

Raw Audit Messages
type=AVC msg=audit(1359033095.373:4277): avc:  denied  { read } for  pid=4514 comm="iptables" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


type=AVC msg=audit(1359033095.373:4277): avc:  denied  { write } for  pid=4514 comm="iptables" path="/run/charon.pid" dev="tmpfs" ino=5569639 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1359033095.373:4277): arch=x86_64 syscall=execve success=yes exit=0 a0=1bfba30 a1=1bdd3f0 a2=1be9db0 a3=c8 items=0 ppid=4503 pid=4514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables,iptables_t,random_device_t,chr_file,read

audit2allow

#============= iptables_t ==============
allow iptables_t initrc_var_run_t:file write;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'

allow iptables_t random_device_t:chr_file read;

audit2allow -R

#============= iptables_t ==============
allow iptables_t initrc_var_run_t:file write;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'

allow iptables_t random_device_t:chr_file read;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.2-204.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-01-25 10:00:52 UTC

type=AVC msg=audit(1359033095.373:4277): avc:  denied  { write } for  pid=4514 comm="iptables" path="/run/charon.pid" dev="tmpfs" ino=5569639 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

This is a leak. What is "/run/charon.pid"? I mean which service creates this pid file?

Comment 2 Jeremy Beker 2013-01-25 13:26:03 UTC

Charon is the IKEv1 and IKEv2 daemon for Strongswan. (http://www.strongswan.org/).

The SElinux warning pops up right after a new IKEv2 connection has been made.

Comment 3 Daniel Walsh 2013-01-25 14:26:33 UTC

I guess we should label this stuff the same as we do for openswan?

grep ipsec /etc/selinux/targeted/contexts/files/file_contexts
/etc/racoon(/.*)?	system_u:object_r:ipsec_conf_file_t:s0
/var/racoon(/.*)?	system_u:object_r:ipsec_var_run_t:s0
/etc/ipsec\.d(/.*)?	system_u:object_r:ipsec_key_file_t:s0
/var/run/pluto(/.*)?	system_u:object_r:ipsec_var_run_t:s0
/usr/lib/ipsec/.*	--	system_u:object_r:bin_t:s0
/etc/racoon/certs(/.*)?	system_u:object_r:ipsec_key_file_t:s0
/etc/ipsec\.d/examples(/.*)?	system_u:object_r:etc_t:s0
/etc/ipsec\.conf	--	system_u:object_r:ipsec_conf_file_t:s0
/usr/sbin/ipsec	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/etc/ipsec\.secrets	--	system_u:object_r:ipsec_key_file_t:s0
/usr/lib/ipsec/spi	--	system_u:object_r:ipsec_exec_t:s0
/var/log/pluto\.log	--	system_u:object_r:ipsec_log_t:s0
/etc/racoon/psk\.txt	--	system_u:object_r:ipsec_key_file_t:s0
/var/run/racoon\.pid	--	system_u:object_r:ipsec_var_run_t:s0
/usr/lib/ipsec/pluto	--	system_u:object_r:ipsec_exec_t:s0
/usr/lib/ipsec/eroute	--	system_u:object_r:ipsec_exec_t:s0
/etc/rc\.d/init\.d/ipsec	--	system_u:object_r:ipsec_initrc_exec_t:s0
/usr/libexec/ipsec/spi	--	system_u:object_r:ipsec_exec_t:s0
/var/lock/subsys/ipsec	--	system_u:object_r:ipsec_mgmt_lock_t:s0
/etc/rc\.d/init\.d/racoon	--	system_u:object_r:ipsec_initrc_exec_t:s0
/usr/lib/ipsec/_plutorun	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/usr/libexec/ipsec/pluto	--	system_u:object_r:ipsec_exec_t:s0
/usr/lib/ipsec/_plutoload	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/usr/lib/ipsec/klipsdebug	--	system_u:object_r:ipsec_exec_t:s0
/usr/libexec/ipsec/eroute	--	system_u:object_r:ipsec_exec_t:s0
/usr/libexec/ipsec/_plutorun	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/usr/libexec/ipsec/_plutoload	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/usr/libexec/ipsec/klipsdebug	--	system_u:object_r:ipsec_exec_t:s0
/usr/libexec/nm-openswan-service	--	system_u:object_r:ipsec_mgmt_exec_t:s0
/etc/sysconfig/network-scripts/ifup-ipsec	--	system_u:object_r:initrc_exec_t:s0

What paths are associated with strongswan.

Comment 4 Jeremy Beker 2013-01-25 14:58:18 UTC

I'm definitely not the expert here, but I have attached a filelist (strongswan-5.0.0-3.git20120619.fc18.x86_64.filelist.txt) from the FC18 Strongswan RPM (strongswan-5.0.0-3.git20120619.fc18.x86_64).

Comment 5 Jeremy Beker 2013-01-25 14:59:11 UTC

Created attachment 687501 [details]
File list from FC18 strongswan package.

Comment 6 Miroslav Grepl 2013-01-28 10:07:43 UTC

I added fixes.

commit 82ff015a654202c0e9f6b2a48ba2c52c9cc5c473
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 28 11:06:29 2013 +0100

    Add labeling for strongswan

Comment 7 Fedora Update System 2013-01-31 13:18:18 UTC

selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18

Comment 8 Fedora Update System 2013-02-01 16:38:49 UTC

Package selinux-policy-3.11.1-74.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-02-08 02:23:29 UTC

selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Jeremy Beker 2013-02-18 14:15:24 UTC

Hey everyone, sorry to say I am still seeing this.  Any time I restart the strongswan service, I get the following two denied entries:

type=AVC msg=audit(1361196699.367:831): avc:  denied  { read } for  pid=4066 comm="iptables" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

type=AVC msg=audit(1361196699.367:831): avc:  denied  { write } for  pid=4066 comm="iptables" path="/run/charon.pid" dev="tmpfs" ino=928464 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

I have the latest version of the selinux-policy: selinux-policy-3.11.1-78.fc18.noarch

Comment 11 Daniel Walsh 2013-02-18 15:42:14 UTC

Is this the entire AVC message?  I think there are leaks from strongswan.

ausearch -m avc -i -ts recent 

To get the all parts of the avc message.

Comment 12 Jeremy Beker 2013-02-18 15:49:25 UTC

Here you go.  This is from a restart of strongswan, so might have messages from the shutdown as well.

----
type=SYSCALL msg=audit(02/18/2013 10:48:22.171:1126) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1d1b750 a1=0x1cfd3f0 a2=0x1d09db0 a3=0xc0 items=0 ppid=5762 pid=5775 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.171:1126) : avc:  denied  { read } for  pid=5775 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.178:1128) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1d1adf0 a1=0x1cfd3f0 a2=0x1d09db0 a3=0xc0 items=0 ppid=5762 pid=5776 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.178:1128) : avc:  denied  { read } for  pid=5776 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.180:1130) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1d1b410 a1=0x1cfd3f0 a2=0x1d09db0 a3=0xc0 items=0 ppid=5762 pid=5777 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.180:1130) : avc:  denied  { read } for  pid=5777 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.181:1132) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1d1b990 a1=0x1cfd3f0 a2=0x1d09db0 a3=0xc0 items=0 ppid=5762 pid=5778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.181:1132) : avc:  denied  { read } for  pid=5778 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.572:1152) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x24ab790 a1=0x248d3f0 a2=0x2499db0 a3=0xc8 items=0 ppid=5841 pid=5850 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.572:1152) : avc:  denied  { write } for  pid=5850 comm=iptables path=/run/charon.pid dev="tmpfs" ino=3168043 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
type=AVC msg=audit(02/18/2013 10:48:22.572:1152) : avc:  denied  { read } for  pid=5850 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.574:1154) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x24aadf0 a1=0x248d3f0 a2=0x2499db0 a3=0xc8 items=0 ppid=5841 pid=5851 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.574:1154) : avc:  denied  { write } for  pid=5851 comm=iptables path=/run/charon.pid dev="tmpfs" ino=3168043 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
type=AVC msg=audit(02/18/2013 10:48:22.574:1154) : avc:  denied  { read } for  pid=5851 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.576:1156) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x24ab450 a1=0x248d3f0 a2=0x2499db0 a3=0xc8 items=0 ppid=5841 pid=5852 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.576:1156) : avc:  denied  { write } for  pid=5852 comm=iptables path=/run/charon.pid dev="tmpfs" ino=3168043 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
type=AVC msg=audit(02/18/2013 10:48:22.576:1156) : avc:  denied  { read } for  pid=5852 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2013 10:48:22.578:1158) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x24aba30 a1=0x248d3f0 a2=0x2499db0 a3=0xc8 items=0 ppid=5841 pid=5853 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(02/18/2013 10:48:22.578:1158) : avc:  denied  { write } for  pid=5853 comm=iptables path=/run/charon.pid dev="tmpfs" ino=3168043 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
type=AVC msg=audit(02/18/2013 10:48:22.578:1158) : avc:  denied  { read } for  pid=5853 comm=iptables path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

Comment 13 Daniel Walsh 2013-02-18 15:56:22 UTC

As I expected these are leaks from stongswan.

It needs to close the file descriptors on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

For /dev/random and /run/chron.pid

You might be able to do this in the open call also.

Comment 14 Fedora End Of Life 2013-12-21 15:19:37 UTC

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 15 Juan Orti Alcaine 2014-01-13 10:45:04 UTC

This bug still exists in Fedora 20:

SELinux is preventing /usr/sbin/xtables-multi from read access on the chr_file /dev/random.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If desea allow authlogin to nsswitch use ldap
Then usted debe decir a SELinux sobre esto habilitando el booleano 'authlogin_nsswitch_use_ldap'.
Puede leer la página man de 'None' para más detalles.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If cree que de manera predeterminada, xtables-multi debería permitir acceso read sobre  random chr_file.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                /dev/random [ chr_file ]
Source                        iptables
Source Path                   /usr/sbin/xtables-multi
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           iptables-1.4.19.1-1.fc20.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed> 3.12.6-300.fc20.x86_64 #1
                              SMP Mon Dec 23 16:44:31 UTC 2013 x86_64 x86_64
Alert Count                   2414
First Seen                    2013-12-20 13:40:23 CET
Last Seen                     2014-01-13 11:32:32 CET
Local ID                      c0717df6-c523-44f6-91aa-09c12e9c48fb

Raw Audit Messages
type=AVC msg=audit(1389609152.118:17154): avc:  denied  { read } for  pid=17940 comm="iptables" path="/dev/random" dev="devtmpfs" ino=5008 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


type=AVC msg=audit(1389609152.118:17154): avc:  denied  { write } for  pid=17940 comm="iptables" path="/run/charon.pid" dev="tmpfs" ino=2441891 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1389609152.118:17154): arch=x86_64 syscall=execve success=yes exit=0 a0=2652790 a1=2652910 a2=2640680 a3=7fffb85d6b80 items=0 ppid=17931 pid=17940 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables,iptables_t,random_device_t,chr_file,read


--------------------------
# ausearch -m avc -i -ts recent
----
type=SYSCALL msg=audit(13/01/14 11:32:26.933:17144) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x2676e40 a1=0x26778b0 a2=0x2665680 a3=0x7fff033c9990 items=0 ppid=17874 pid=17882 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(13/01/14 11:32:26.933:17144) : avc:  denied  { write } for  pid=17882 comm=iptables path=/run/charon.pid dev="tmpfs" ino=2441891 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(13/01/14 11:32:26.933:17144) : avc:  denied  { read } for  pid=17882 comm=iptables path=/dev/random dev="devtmpfs" ino=5008 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----
type=SYSCALL msg=audit(13/01/14 11:32:27.089:17146) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x2677810 a1=0x2677990 a2=0x2665680 a3=0x7fff033c99b0 items=0 ppid=17874 pid=17889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(13/01/14 11:32:27.089:17146) : avc:  denied  { write } for  pid=17889 comm=iptables path=/run/charon.pid dev="tmpfs" ino=2441891 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(13/01/14 11:32:27.089:17146) : avc:  denied  { read } for  pid=17889 comm=iptables path=/dev/random dev="devtmpfs" ino=5008 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----
type=SYSCALL msg=audit(13/01/14 11:32:32.102:17152) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x2651e00 a1=0x2652830 a2=0x2640680 a3=0x7fffb85d6b60 items=0 ppid=17931 pid=17939 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(13/01/14 11:32:32.102:17152) : avc:  denied  { write } for  pid=17939 comm=iptables path=/run/charon.pid dev="tmpfs" ino=2441891 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(13/01/14 11:32:32.102:17152) : avc:  denied  { read } for  pid=17939 comm=iptables path=/dev/random dev="devtmpfs" ino=5008 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----
type=SYSCALL msg=audit(13/01/14 11:32:32.118:17154) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x2652790 a1=0x2652910 a2=0x2640680 a3=0x7fffb85d6b80 items=0 ppid=17931 pid=17940 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(13/01/14 11:32:32.118:17154) : avc:  denied  { write } for  pid=17940 comm=iptables path=/run/charon.pid dev="tmpfs" ino=2441891 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(13/01/14 11:32:32.118:17154) : avc:  denied  { read } for  pid=17940 comm=iptables path=/dev/random dev="devtmpfs" ino=5008 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

Comment 16 Pavel Šimerda (pavlix) 2014-02-17 11:10:23 UTC

Thanks for keeping the report up to date. Reported upstream:

http://wiki.strongswan.org/issues/519

Comment 17 Pavel Šimerda (pavlix) 2014-02-19 09:17:16 UTC

Fixed in rawhide. Submitted patch upstream.

Comment 18 Fedora Update System 2014-03-14 20:13:52 UTC

strongswan-5.1.2-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/strongswan-5.1.2-1.fc20

Comment 19 Fedora Update System 2014-03-15 15:19:53 UTC

Package strongswan-5.1.2-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing strongswan-5.1.2-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3924/strongswan-5.1.2-1.fc20
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2014-03-26 05:34:45 UTC

Package strongswan-5.1.2-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing strongswan-5.1.2-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3924/strongswan-5.1.2-4.fc20
then log in and leave karma (feedback).

Comment 21 Fedora Update System 2014-04-04 09:42:36 UTC

strongswan-5.1.2-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.