Bug 984690 - strongswan needs a few extra permissions
strongswan needs a few extra permissions
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-15 13:10 EDT by Jamie Nguyen
Modified: 2014-02-23 10:28 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-23 10:28:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC logs on F19 (4.42 KB, text/plain)
2013-07-16 06:03 EDT, Jamie Nguyen
no flags Details
AVC logs on EL6 (after adding required fcontexts) (8.10 KB, text/plain)
2013-07-16 06:13 EDT, Jamie Nguyen
no flags Details
AVC logs on F19 (7.08 KB, text/plain)
2013-07-18 04:41 EDT, Jamie Nguyen
no flags Details

  None (edit)
Description Jamie Nguyen 2013-07-15 13:10:22 EDT
Description of problem:

strongswan fails to start with a fairly simple configuration. Turns out there are a few selinux permissions missing, but that was easily remedied with a custom module.te that I've pasted below. Feel free to suggest what may or may not be a good idea in default policy, but this is the minimal permissions I needed to get strongswan running. Please do commit a fix in rawhide, f19, f18 and el6, that would be much appreciated! :-)


require {
        type ipsec_t;
        type sysctl_net_t;
        type dhcpc_port_t;
        class capability { net_raw setgid };
        class netlink_route_socket nlmsg_write;
        class udp_socket name_bind;
        class file write;
        class packet_socket { create setopt };
}

#============= ipsec_t ==============
allow ipsec_t dhcpc_port_t:udp_socket name_bind;
allow ipsec_t self:capability { net_raw setgid };
allow ipsec_t self:netlink_route_socket nlmsg_write;
allow ipsec_t self:packet_socket { create setopt };
allow ipsec_t sysctl_net_t:file write;
Comment 1 Miroslav Grepl 2013-07-16 04:27:25 EDT
Could you please attach AVC msgs for these rules. Thank you.
Comment 2 Jamie Nguyen 2013-07-16 06:03:24 EDT
Created attachment 774163 [details]
AVC logs on F19
Comment 3 Jamie Nguyen 2013-07-16 06:12:03 EDT
Just a note that on EL6, strongswan currently runs as initrc_t so I've not seen any AVC messages.

If you introduce the fcontext changes in:
  https://bugzilla.redhat.com/show_bug.cgi?id=984686
to EL6, as well as the additional one I mention in this comment:
   https://bugzilla.redhat.com/show_bug.cgi?id=984686#c2
then I get some AVC messages which I'll attach.
Comment 4 Jamie Nguyen 2013-07-16 06:13:45 EDT
Created attachment 774164 [details]
AVC logs on EL6 (after adding required fcontexts)
Comment 5 Jamie Nguyen 2013-07-18 04:41:23 EDT
Created attachment 775201 [details]
AVC logs on F19
Comment 6 Miroslav Grepl 2013-07-18 09:35:37 EDT
I am adding fixes to Fedora. Could please clone this bug for RHEL.
Comment 7 Fedora End Of Life 2013-09-16 13:01:36 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 8 Fedora Update System 2013-09-25 16:39:09 EDT
selinux-policy-3.12.1-83.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-83.fc20
Comment 9 Fedora Update System 2013-09-26 20:42:44 EDT
Package selinux-policy-3.12.1-83.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-83.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17722/selinux-policy-3.12.1-83.fc20
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2013-10-02 02:42:38 EDT
Package selinux-policy-3.12.1-84.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-84.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17722/selinux-policy-3.12.1-84.fc20
then log in and leave karma (feedback).

Note You need to log in before you can comment on or make changes to this bug.