-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
Versions we are using are. selinux-policy-targeted-2.2.43-4.fc5 kernel-2.6.16-1.2122_FC5 openswan-2.4.4-1.1.2.1
As i have not seen any other mention of this being an issue, I was wondering if anyone else has encountered this. I have also tested this on FC4 with the same result.
Am i right in assuming that openswan is using ifconfig to add the route, i have looked into the source policy that define ipsec which has no reference to ifconfig, but rather to ipsec eroute.
I am not sure if this just defined in the wrong place, or if it needs ifconfig to be added into the policy.
Regards,
Stuart James
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 26 Jun 2006 09:22:26 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
As every time i added this, and recompiled the source for the targeted policy, i got new errors in the audit.log. Although i have added
allow ifconfig_t self:netlink_xfrm_socket read;
I still get it in my audit.log
When ipsec restarts
Shutting down IPsec: Stopping Openswan IPsec... Cannot talk to rtnetlink: Invalid argument Cannot talk to rtnetlink: Invalid argument [ OK ] Starting IPsec: Starting Openswan IPsec 2.4.4... insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/key/af_key.ko insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/ipv4/xfrm4_tunnel.ko Cannot talk to rtnetlink: Invalid argument Cannot talk to rtnetlink: Invalid argument
Any help with this would be great.
Regards,
- -- Stuart James System Administrator DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 27 Jun 2006 12:48:22 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 26 Jun 2006 09:22:26 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
These rules seem to work now.
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom;
As every time i added this, and recompiled the source for the targeted policy, i got new errors in the audit.log. Although i have added
allow ifconfig_t self:netlink_xfrm_socket read;
I still get it in my audit.log
When ipsec restarts
Shutting down IPsec: Stopping Openswan IPsec... Cannot talk to rtnetlink: Invalid argument Cannot talk to rtnetlink: Invalid argument [ OK ] Starting IPsec: Starting Openswan IPsec 2.4.4... insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/key/af_key.ko insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/ipv4/xfrm4_tunnel.ko Cannot talk to rtnetlink: Invalid argument
- -- Stuart James System Administrator DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 27 Jun 2006 14:46:29 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
These rules seem to work now.
# IPSEC (openswan-2.4.x)
allow traceroute_t initrc_t:rawip_socket { read write }; allow traceroute_t initrc_t:udp_socket { read write }; allow traceroute_t user_home_dir_t:dir search;
allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom;
Regards,
- -- Stuart James System Administrator DDI - (44) 0 1765 643354
Stuart James wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 27 Jun 2006 14:46:29 +0100 Stuart James stuart@secpay.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend firewalls, including the version of openswan , selinux policy, kernel ,ect. We used to run in enforcing mode without any difficulties, it now seems that with Enforcing mode on Openswan does not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can tell Openswan has difficulty adding the route to the Right/Left nexthop, although the status of the tunnel appears to be up, the routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to /usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write };
These rules seem to work now.
# IPSEC (openswan-2.4.x)
allow traceroute_t initrc_t:rawip_socket { read write }; allow traceroute_t initrc_t:udp_socket { read write }; allow traceroute_t user_home_dir_t:dir search;
allow ifconfig_t self:netlink_xfrm_socket create; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket setopt; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t self:netlink_xfrm_socket { bind setopt }; allow ifconfig_t self:netlink_xfrm_socket bind; allow ifconfig_t self:netlink_xfrm_socket read; allow ifconfig_t self:netlink_xfrm_socket { bind getattr }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr write }; allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read write }; allow ifconfig_t self:netlink_xfrm_socket { nlmsg_write read }; allow ifconfig_t unconfined_t:udp_socket { read write }; allow unlabeled_t self:association sendto; allow unlabeled_t self:association recvfrom;
Ok I can add the netlink_xfrm_socket stuff to upstream. They will be in tonights policy
The unlabeled_t should be gone with the latest policy.
I am not sure about
allow ifconfig_t unconfined_t:udp_socket { read write }; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t initrc_t:unix_stream_socket { read write }; allow traceroute_t initrc_t:rawip_socket { read write }; allow traceroute_t initrc_t:udp_socket { read write }; allow traceroute_t user_home_dir_t:dir search;
Could you attach avc messages for these?
Regards,
Stuart James System Administrator DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEs8Znr8LwOCpshrYRAsy/AKC777P7eAugVKSer5Qlh6WFgsyDdQCeNyyp 6xAQw09KvJ92wtidicpJqhg= =+sXV -----END PGP SIGNATURE-----
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org