Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 591975 - SELinux denies write and read to socket during openswan connection
Summary: SELinux denies write and read to socket during openswan connection
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4.z
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-13 15:20 UTC by Aleš Mareček
Modified: 2011-01-13 21:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:49:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Aleš Mareček 2010-05-13 15:20:34 UTC
Description of problem:
SELinux denies write and read to socket during openswan connection. See avc message:
---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.492:31467): arch=14 syscall=11 success=yes exit=0 a0=7cd896c a1=ffce8de4 a2=ffcef9b8 a3=ffcea84c items=0 ppid=31026 pid=31223 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="sh" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561930]" dev=sockfs ino=1561930 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1273756110.492:31467): avc: denied { read write } for pid=31223 comm="sh" path="socket:[1561929]" dev=sockfs ino=1561929 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=unix_stream_socket ---- time->Thu May 13 09:08:30 2010 type=SYSCALL msg=audit(1273756110.511:31468): arch=14 syscall=11 success=yes exit=0 a0=100e7cd0 a1=100e86e0 a2=100edbb0 a3=0 items=0 ppid=31224 pid=31225 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=5062 comm="ip" exe="/sbin/ip" subj=root:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file type=AVC msg=audit(1273756110.511:31468): avc: denied { write } for pid=31225 comm="ip" path="pipe:[1562542]" dev=pipefs ino=1562542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=fifo_file ----

Version-Release number of selected component (if applicable):
openswan-2.6.21-5.el5_4.3 and older

How reproducible:
Always

Steps to Reproduce:
1. Turn on the selinux, configure openswan, for example like following.
setenforce 1

/etc/ipsec.conf:
version 2.0

config setup
	crlcheckinterval="180"
	strictcrlpolicy=no
	protostack=netkey
	interfaces=%defaultroute
	plutodebug=all

conn host-host
	auto=add
	auth=esp
	authby=secret
	left=<left machine ip>
	right=<right machine ip>

/etc/ipsec.secrets:
: PSK "secret"

* on second machine change IPs (left and right)

2. Restart openswan.
service ipsec restart (both sides)
ipsec auto --up host-host (left side)
3. See avc messages.
ausearch -m avc -ts recent
  
Actual results:
Avc messages found.

Expected results:
No avc messages.

Additional info:

Comment 2 Daniel Walsh 2010-05-14 13:12:53 UTC
THis is either a leaked file descriptor from openswan or a redirection of stdout or stderr.

In RHEL6 audit2allow reports.

audit2allow -i /tmp/t


#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy

allow ifconfig_t ipsec_t:fifo_file write;

#============= ipsec_mgmt_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }

Miroslav can  you see if these rules are in 5.5 policy?

Comment 3 Daniel Walsh 2010-05-14 13:16:05 UTC
Does not look like these are in RHEL5 yet.  

Miroslav, Please backport the fixes in sysnetwork.if and ipsec.te

Comment 4 Miroslav Grepl 2010-07-22 09:22:42 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 7 Jaromir Hradilek 2011-01-05 16:14:51 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.

Comment 9 errata-xmlrpc 2011-01-13 21:49:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.