openswan start denied by selinux if a custom log file is used

Dominick Grift dominick.grift at gmail.com
Mon May 20 10:45:35 UTC 2013 

On Mon, 2013-05-20 at 12:36 +0300, Manuel Wolfshant wrote:
> On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
> > Hello
> >
> >     I am using CentOS 6.4 and I want to store the logs from openswan 
> > into a different file ( /var/log/ipsec ) than the default. For this 
> > purpose I added
> >
> >     plutostderrlog=/var/log/ipsec
> >
> > to ipsec.conf.
> >     As long as I keep the server in permissive mode, openswan starts 
> > OK. If, however, I switch to enforcing, the daemon refuses to start 
> > with the following error message displayed in the console:
> >
> >     ipsec_setup: Starting Openswan IPsec
> >     U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
> >     ipsec_setup: Cannot write to "/var/log/ipsec".
> >
> >     The audit log does not record anything useful so I tried to switch 
> > dontaudit to off and see if anything useful comes out. After running 
> > audit2allow and a bit of trial and error I came out with the following 
> > custom policy :
> >
> >     module myipsec 1.0;
> >
> >     require {
> >             type ipsec_t;
> >
> Sorry, this line is:
> 
>                  type ipsec_mgmt_t;
> 
> 
> >             type var_log_t;
> >             class file { write ioctl getattr append };
> >     }
> >
> >     #============= ipsec_mgmt_t ==============
> >
> >     allow ipsec_mgmt_t var_log_t:file write;
> >
> >
> >     The above policy worked for me but I am wondering if it is OK (I 
> > am mostly confused by the fact that the class includes " write ioctl 
> > getattr append " but the rule has only "write" ). And, assuming it is 
> > OK can this custom policy ( or the corrected one if needed ) be 
> > included in the default policy ?
> >
> >     TIA
> >
> >         manuel

This particular solution is a bad idea:

First lets see what ipsec types are available:

> # seinfo -t | grep ipsec
>    ipsecnat_port_t
>    ipsec_t
>    ipsec_initrc_exec_t
>    ipsec_mgmt_t
>    ipsec_log_t
>    ipsecnat_client_packet_t
>    ipsec_var_run_t
>    ipsec_key_file_t
>    ipsec_mgmt_var_run_t
>    ipsec_conf_file_t
>    ipsecnat_server_packet_t
>    ipsec_exec_t
>    ipsec_mgmt_exec_t
>    ipsec_mgmt_lock_t
>    ipsec_spd_t
>    ipsec_tmp_t

The policy is (mostly) written with self-documentation in mind, in this
case meaning that the name of the type describes it functionality

As you can see, on my system it lists ipsec_log_t. I assume that this is
a type for ipsec log files.

Now were going to use the sesearch command to see hope ipsec_mgmt_t can
operate on ipsec_log_t files:

> # sesearch --allow -s ipsec_mgmt_t -t ipsec_log_t | grep " ipsec_log_t "
>    allow ipsec_mgmt_t ipsec_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
>    allow ipsec_mgmt_t ipsec_log_t : dir { ioctl read write getattr lock add_name remove_name search open } ;

So ipsec_mgmt_t is allowed pretty much full access to ipsec_log_t files,
it is also allowed pretty much manage content in ipsec_log_t type
directories.

So the solution is to label your new log location with the ipsec_log_t
type.

But lets look at the stock location of the ipsec log file (s)

> semanage fcontext -l | grep ipsec_log_t
> /var/log/pluto\.log                                regular file       system_u:object_r:ipsec_log_t:s0

So theres some things to consider here:

Did you create /var/log/ipsec file manually?
How are you dealing with log rotation?

But i will make some assumptions (that you have create /var/log/ipsec
for ipsec manually)

Likely solution is to:

semanage fcontext -a -t ipsec_log_t "/var/log/ipsec.*"
restorecon -v /var/log/ipsec

This solution is much cleaner because this enables you that you do not
have to allow ipsec_mgmt_t to "write" generic log content.

By the way:

There seems to be a bug in ipsec in that it should not "write" to the
log file in the first place.

Instead it should "append" to the log file (open the log file for append
instead of write)

This can be important, as "write"  allows for removal of log entries. We
do not want a compromized ipsec_mgmt_t labeled process to be able to
remove entries from the log file, as the entries can be important for
audit purposes in the event of calamity

But, this is aside from the main issue, so take a brief note and forget
about it. Since the policy actually allows ipsec_mgmt_t to "write" to
ipsec_log_t labeled files :( 

So label you ipsec log file ipsec_log_t like the example above and you
should be set.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list