Hello I configured Labeled IPSec on CentOS 7 using Libreswan and I found such denied:
type=AVC msg=audit(1491053758.389:1366): avc: denied { polmatch } for pid=0 comm="swapper/0" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:ipsec_spd_t:s0 tclass=association
My config file on both hosts is:
# cat /etc/ipsec.conf version 2
config setup protostack=netkey
conn ipsec_selinux_tunnel ... labeled_ipsec=yes policy_label=system_u:object_r:ipsec_spd_t:s0
It's looks like process swapper is missing labeled?
I must add this rule to my own module: allow unlabeled_t ipsec_spd_t:association { polmatch };
This is not a bug?
On 04/02/2017 11:57 AM, Grzegorz Kuczyński wrote:
Hello I configured Labeled IPSec on CentOS 7 using Libreswan and I found such denied:
type=AVC msg=audit(1491053758.389:1366): avc: denied { polmatch } for pid=0 comm="swapper/0" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:ipsec_spd_t:s0 tclass=association
My config file on both hosts is:
# cat /etc/ipsec.conf version 2
config setup protostack=netkey
conn ipsec_selinux_tunnel ... labeled_ipsec=yes policy_label=system_u:object_r:ipsec_spd_t:s0
It's looks like process swapper is missing labeled?
Yes, It looks like your system is mislabeled. Did you boot with SELinux disabled and then turned SELinux in enforcing/permissive again?
To fix labels please run: # restorecon -Rv /
Then please restart services with "unlabeled_t" label.
I must add this rule to my own module: allow unlabeled_t ipsec_spd_t:association { polmatch };
This local module can be removed after full system relabel mentioned above.
Lukas.
This is not a bug?
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
SELinux in this system always is enabled, yes I change mode from enforcing to permissive to do some test, but I do this before install libreswan (I check this in history).
restorecon - I do this before and now, its not change any context
I think about this denied again and caught my attention pid on this process, why is 0?
Thanks for reply...
On Sun, 2017-04-02 at 11:57 +0200, Grzegorz Kuczyński wrote:
Hello I configured Labeled IPSec on CentOS 7 using Libreswan and I found such denied:
type=AVC msg=audit(1491053758.389:1366): avc: denied { polmatch } for pid=0 comm="swapper/0" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:ipsec_spd_t:s0 tclass=association
My config file on both hosts is:
# cat /etc/ipsec.conf version 2
config setup protostack=netkey
conn ipsec_selinux_tunnel ... labeled_ipsec=yes policy_label=system_u:object_r:ipsec_spd_t:s0
It's looks like process swapper is missing labeled?
I must add this rule to my own module: allow unlabeled_t ipsec_spd_t:association { polmatch };
This is not a bug?
The unlabeled context is from the flow, not the process, for this check. The current process is irrelevant, since this is happening on network input processing of the received packet. I guess the question is how did we end up with an unlabeled flow. What does 'ip xfrm state' show as the security context for the association?
FWIW, there is a sample configuration of labeled IPSEC over loopback (and tests for it) in the selinux-testsuite. That however is a manual configuration.
[root@CnetOS7 ~]# ip xfrm state src 10.5.5.18 dst 10.5.5.10 proto esp spi 0xedbce21c reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96 enc cbc(aes) 0x442da48e8178c4971275b9d889747536 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x921bce56 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96 enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x3aef0708d244ede7793e328b1937d0b70d425fb7 96 enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x5acea75b reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x731268575b53cfbd9cac20e988cfc5557d381036 96 enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918
This unlabeled flow is can be initiated from my own domain for simple server TCP and client communicate via this tunnel? What You means writing about "sample configuration" in Second paragraph?
On Tue, 2017-04-04 at 17:09 +0000, Grzegorz Kuczyński wrote:
[root@CnetOS7 ~]# ip xfrm state src 10.5.5.18 dst 10.5.5.10 proto esp spi 0xedbce21c reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4f8cdee1b453dacf606fcf630d9c5b328b952404 96 enc cbc(aes) 0x442da48e8178c4971275b9d889747536 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0x921bce56 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x7050af8d2c7c151db1ded71d5a4468eaafdc8a29 96 enc cbc(aes) 0x8686ccf1127bb881fa382fe17f790d69 src 10.5.5.10 dst 10.5.5.18 proto esp spi 0xe6ca8cc5 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x3aef0708d244ede7793e328b1937d0b70d425fb7 96 enc cbc(aes) 0xa4cc55f6a88307b8f354fc3e8d576276 src 10.5.5.18 dst 10.5.5.10 proto esp spi 0x5acea75b reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x731268575b53cfbd9cac20e988cfc5557d381036 96 enc cbc(aes) 0x1defeab6aa6ac729f3082f6b70053918
Hmm...no security contexts? That would explain why you are getting unlabeled_t. But I guess the question is why is pluto creating SAs without any security contexts. Seems like a bug there, but I am not sure.
This unlabeled flow is can be initiated from my own domain for simple server TCP and client communicate via this tunnel? What You means writing about "sample configuration" in Second paragraph?
git clone https://github.com/SELinuxProject/selinux-testsuite cd selinux-testsuite cat selinux-testsuite/inet_socket/ipsec-load
That however is a manual configuration; doesn't use libreswan. Might be interesting though to confirm that the test works for you. You'll notice that if you run the ipsec-load script by hand and then run ip xfrm state, you'll see security contexts configured there.
Another reference is the SELinux Notebook, http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html
There is both the book itself and a source tarball with sample configurations.
tar xzf notebook-source-4.0.tar.gz cd notebook-source cat basic-selinux-policy/CIL/message-filter/ipsec.conf
OK, I run ipsec-load by hand and I have:
x4: RTNETLINK answers: Invalid argument
from this rule: ip xfrm policy ... ctx "system_u:object_r:test_spd_t:s0" ...
ip xfrm state show nothing...
log: type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=MAC_IPSEC_EVENT msg=audit(1491409613.572:207): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409613.572:207): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffc059dea50 a2=0 a3=7ffc059de790 items=0 ppid=2966 pid=2967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
So I change test_spd_t to ipsec_spd_t and now ip cmd is ok:
ip xfrm policy ... ctx "system_u:object_r:ipsec_spd_t:s0" ...
but ... ip xfrm state show nothing...
log: type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=MAC_IPSEC_EVENT msg=audit(1491409549.370:202): op=SPD-delete auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.370:202): arch=c000003e syscall=46 success=yes exit=16 a0=4 a1=7ffff54a6ad0 a2=0 a3=7ffff54a6810 items=0 ppid=2947 pid=2948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.377:203): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=SYSCALL msg=audit(1491409549.377:203): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffeca3ab0e0 a2=0 a3=7ffeca3aae20 items=0 ppid=2947 pid=2958 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.379:204): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=127.0.0.1 dst=127.0.0.1 type=SYSCALL msg=audit(1491409549.379:204): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffca5a8e4e0 a2=0 a3=7ffca5a8e220 items=0 ppid=2947 pid=2959 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.383:205): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.383:205): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffdb6e72080 a2=0 a3=7ffdb6e71dc0 items=0 ppid=2947 pid=2962 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_IPSEC_EVENT msg=audit(1491409549.385:206): op=SPD-add auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1 sec_alg=1 sec_doi=1 sec_obj=system_u:object_r:ipsec_spd_t:s0 src=0000:0000:0000:0000:0000:0000:0000:0001 dst=0000:0000:0000:0000:0000:0000:0000:0001 type=SYSCALL msg=audit(1491409549.385:206): arch=c000003e syscall=46 success=yes exit=300 a0=4 a1=7ffc76f2f3f0 a2=0 a3=7ffc76f2f130 items=0 ppid=2947 pid=2963 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
So I understand Labeling IPSec work but not with libreswan?
selinux@lists.fedoraproject.org