Bug 986883 - strongswan file contexts should mirror the current ipsec contexts
strongswan file contexts should mirror the current ipsec contexts
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-22 06:23 EDT by Miroslav Grepl
Modified: 2013-11-21 05:46 EST (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-221.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 984686
Environment:
Last Closed: 2013-11-21 05:46:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Grepl 2013-07-22 06:23:33 EDT
+++ This bug was initially created as a clone of Bug #984686 +++

Description:
============

openswan has the correct fcontexts set, but strongswan is missing a few.

The current contexts for openswan:

  /etc/ipsec\.conf
  regular file   system_u:object_r:ipsec_conf_file_t:s0

  /etc/ipsec\.d(/.*)?
  all files      system_u:object_r:ipsec_key_file_t:s0

  /etc/ipsec\.d/examples(/.*)?
  all files      system_u:object_r:etc_t:s0

  /etc/ipsec\.secrets.*
  regular file   system_u:object_r:ipsec_key_file_t:s0

  /etc/rc\.d/init\.d/ipsec
  regular file   system_u:object_r:ipsec_initrc_exec_t:s0

  /var/lock/subsys/ipsec
  regular file   system_u:object_r:ipsec_mgmt_lock_t:s0 


However, the /etc/strongswan/ipsec.d/ directory only has this:

  /etc/strongswan(/.*)?
  all files      system_u:object_r:ipsec_conf_file_t:s0


Solution:
=========

The /etc/strongswan/ipsec.d/ directory should mirror the contexts above, so it looks like this:

  /etc/strongswan/ipsec\.conf
  regular file   system_u:object_r:ipsec_conf_file_t:s0

  /etc/strongswan/ipsec\.d(/.*)?
  all files      system_u:object_r:ipsec_key_file_t:s0

  /etc/strongswan/ipsec\.d/examples(/.*)?
  all files      system_u:object_r:etc_t:s0

  /etc/strongswan/ipsec\.secrets.*
  regular file   system_u:object_r:ipsec_key_file_t:s0

  /etc/rc\.d/init\.d/strongswan
  regular file   system_u:object_r:ipsec_initrc_exec_t:s0

  /var/lock/subsys/strongswan
  regular file   system_u:object_r:ipsec_mgmt_lock_t:s0 



Version-Release number of selected component (if applicable):

Could you please fix this on rawhide, f19, f18 and el6? Thanks!

--- Additional comment from Miroslav Grepl on 2013-07-16 04:52:30 EDT ---

Added.

commit 797d28d0dd8a6010078aab159aacfa64acb96b29
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jul 16 10:36:28 2013 +0200

    Add additional labeling for strongswan

--- Additional comment from Jamie Nguyen on 2013-07-16 06:10:50 EDT ---

Thanks!

I forgot to mention that on EL6, it's also missing this one (in addition to all of the above mentioned):

  /usr/sbin/strongswan
  regular file   system_u:object_r:ipsec_mgmt_exec_t:s0
Comment 2 Milos Malik 2013-07-22 08:31:33 EDT
When selinux-policy 3.7.19-208.el6 is installed, strongswan processes run as initrc_t:

unconfined_u:system_r:initrc_t:s0 root    3114     1  0 14:26 ?        00:00:00 /usr/libexec/strongswan/starter
unconfined_u:system_r:initrc_t:s0 root    3116  3114  0 14:26 ?        00:00:00 /usr/libexec/strongswan/pluto --nofork --uniqueids
unconfined_u:system_r:initrc_t:s0 root    3318  3114  0 14:26 ?        00:00:00 /usr/libexec/strongswan/charon --use-syslog
Comment 3 Milos Malik 2013-07-22 08:56:11 EDT
Also product of strongswan processes:
----
type=SOCKETCALL msg=audit(07/22/2013 14:36:57.485:94) : nargs=4 a0=3 a1=8f690a8 a2=44 a3=4000 
type=SYSCALL msg=audit(07/22/2013 14:36:57.485:94) : arch=i386 syscall=socketcall(send) success=yes exit=68 a0=9 a1=bf85c128 a2=4d8ff4 a3=14 items=0 ppid=1 pid=3114 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=starter exe=/usr/libexec/strongswan/starter subj=unconfined_u:system_r:initrc_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(07/22/2013 14:36:57.485:94) : SELinux:  unrecognized netlink message type=30026 for sclass=34 
----
Comment 6 Miroslav Grepl 2013-09-25 07:52:36 EDT
Additional fixes are needed.
Comment 8 Miroslav Grepl 2013-10-02 07:20:21 EDT
These are new.

Milos,
any chance to re-test in permissive mode and with full auditing?
Comment 15 Miroslav Grepl 2013-10-07 08:39:39 EDT
Ok, we does not support it alson in Fedora.
Comment 22 Miroslav Grepl 2013-10-09 06:09:15 EDT
# semanage fcontext -l | grep charon
semanage fcontext -l | grep charon
/var/run/charon\.ctl                               socket             system_u:object_r:ipsec_var_run_t:s0 
/var/run/charon\.pid                               regular file       system_u:object_r:ipsec_var_run_t:s0

# runcon -u system_u -r system_r -t initrc_t -- runcon -t ipsec_t -- touch /etc/strongswan/ipsec.secrets

# ls -Z /etc/strongswan/ipsec.secrets
-rw-r--r--. root root system_u:object_r:ipsec_key_file_t:s0 /etc/strongswan/ipsec.secrets
Comment 24 errata-xmlrpc 2013-11-21 05:46:31 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.