Bug 986883 - strongswan file contexts should mirror the current ipsec contexts
Summary: strongswan file contexts should mirror the current ipsec contexts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-22 10:23 UTC by Miroslav Grepl
Modified: 2013-11-21 10:46 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-221.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 984686
Environment:
Last Closed: 2013-11-21 10:46:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Miroslav Grepl 2013-07-22 10:23:33 UTC
+++ This bug was initially created as a clone of Bug #984686 +++

Description:
============

openswan has the correct fcontexts set, but strongswan is missing a few.

The current contexts for openswan:

  /etc/ipsec\.conf
  regular file   system_u:object_r:ipsec_conf_file_t:s0

  /etc/ipsec\.d(/.*)?
  all files      system_u:object_r:ipsec_key_file_t:s0

  /etc/ipsec\.d/examples(/.*)?
  all files      system_u:object_r:etc_t:s0

  /etc/ipsec\.secrets.*
  regular file   system_u:object_r:ipsec_key_file_t:s0

  /etc/rc\.d/init\.d/ipsec
  regular file   system_u:object_r:ipsec_initrc_exec_t:s0

  /var/lock/subsys/ipsec
  regular file   system_u:object_r:ipsec_mgmt_lock_t:s0 


However, the /etc/strongswan/ipsec.d/ directory only has this:

  /etc/strongswan(/.*)?
  all files      system_u:object_r:ipsec_conf_file_t:s0


Solution:
=========

The /etc/strongswan/ipsec.d/ directory should mirror the contexts above, so it looks like this:

  /etc/strongswan/ipsec\.conf
  regular file   system_u:object_r:ipsec_conf_file_t:s0

  /etc/strongswan/ipsec\.d(/.*)?
  all files      system_u:object_r:ipsec_key_file_t:s0

  /etc/strongswan/ipsec\.d/examples(/.*)?
  all files      system_u:object_r:etc_t:s0

  /etc/strongswan/ipsec\.secrets.*
  regular file   system_u:object_r:ipsec_key_file_t:s0

  /etc/rc\.d/init\.d/strongswan
  regular file   system_u:object_r:ipsec_initrc_exec_t:s0

  /var/lock/subsys/strongswan
  regular file   system_u:object_r:ipsec_mgmt_lock_t:s0 



Version-Release number of selected component (if applicable):

Could you please fix this on rawhide, f19, f18 and el6? Thanks!

--- Additional comment from Miroslav Grepl on 2013-07-16 04:52:30 EDT ---

Added.

commit 797d28d0dd8a6010078aab159aacfa64acb96b29
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jul 16 10:36:28 2013 +0200

    Add additional labeling for strongswan

--- Additional comment from Jamie Nguyen on 2013-07-16 06:10:50 EDT ---

Thanks!

I forgot to mention that on EL6, it's also missing this one (in addition to all of the above mentioned):

  /usr/sbin/strongswan
  regular file   system_u:object_r:ipsec_mgmt_exec_t:s0

Comment 2 Milos Malik 2013-07-22 12:31:33 UTC
When selinux-policy 3.7.19-208.el6 is installed, strongswan processes run as initrc_t:

unconfined_u:system_r:initrc_t:s0 root    3114     1  0 14:26 ?        00:00:00 /usr/libexec/strongswan/starter
unconfined_u:system_r:initrc_t:s0 root    3116  3114  0 14:26 ?        00:00:00 /usr/libexec/strongswan/pluto --nofork --uniqueids
unconfined_u:system_r:initrc_t:s0 root    3318  3114  0 14:26 ?        00:00:00 /usr/libexec/strongswan/charon --use-syslog

Comment 3 Milos Malik 2013-07-22 12:56:11 UTC
Also product of strongswan processes:
----
type=SOCKETCALL msg=audit(07/22/2013 14:36:57.485:94) : nargs=4 a0=3 a1=8f690a8 a2=44 a3=4000 
type=SYSCALL msg=audit(07/22/2013 14:36:57.485:94) : arch=i386 syscall=socketcall(send) success=yes exit=68 a0=9 a1=bf85c128 a2=4d8ff4 a3=14 items=0 ppid=1 pid=3114 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=starter exe=/usr/libexec/strongswan/starter subj=unconfined_u:system_r:initrc_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(07/22/2013 14:36:57.485:94) : SELinux:  unrecognized netlink message type=30026 for sclass=34 
----

Comment 6 Miroslav Grepl 2013-09-25 11:52:36 UTC
Additional fixes are needed.

Comment 8 Miroslav Grepl 2013-10-02 11:20:21 UTC
These are new.

Milos,
any chance to re-test in permissive mode and with full auditing?

Comment 15 Miroslav Grepl 2013-10-07 12:39:39 UTC
Ok, we does not support it alson in Fedora.

Comment 22 Miroslav Grepl 2013-10-09 10:09:15 UTC
# semanage fcontext -l | grep charon
semanage fcontext -l | grep charon
/var/run/charon\.ctl                               socket             system_u:object_r:ipsec_var_run_t:s0 
/var/run/charon\.pid                               regular file       system_u:object_r:ipsec_var_run_t:s0

# runcon -u system_u -r system_r -t initrc_t -- runcon -t ipsec_t -- touch /etc/strongswan/ipsec.secrets

# ls -Z /etc/strongswan/ipsec.secrets
-rw-r--r--. root root system_u:object_r:ipsec_key_file_t:s0 /etc/strongswan/ipsec.secrets

Comment 24 errata-xmlrpc 2013-11-21 10:46:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.