No progress, still open. -- You received this bug notification because you are a member of HIPL core team, which is subscribed to HIPL. https://bugs.launchpad.net/bugs/592160 Title: hipl and selinux Status in Host Identity Protocol for Linux: New Bug description: Figure out how to configure selinux to work with hipl. --- I have SELINUX=enforcing, SELINUXTYPE=targeted on stargazer and it works. 2.6.27.5-41.fc9.i686 kernel --- How did you configure it? --- hipd_init calls system("ifconfig dummy0 mtu"), but selinux does not allow its operations: type=1400 audit(1229087479.615:28): avc: denied { read write } for pid=2462 comm="ifconfig" path="/var/lock/hipd.lock" dev=dm-1 ino=483418 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=1400 audit(1229087479.615:29): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64091]" dev=sockfs ino=64091 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_route_socket type=1400 audit(1229087479.615:30): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64092]" dev=sockfs ino=64092 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_xfrm_socket type=1400 audit(1229087479.615:31): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64093]" dev=sockfs ino=64093 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket type=1400 audit(1229087479.615:32): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64094]" dev=sockfs ino=64094 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket type=1400 audit(1229087479.615:33): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64096]" dev=sockfs ino=64096 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket type=1400 audit(1229087479.615:34): avc: denied { read write } for pid=2462 comm="ifconfig" path="socket:[64098]" dev=sockfs ino=64098 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket --- Is it enough to allow dummy0 in selinux? --- policy like this should help, but it does not look very correct. allow ifconfig_t initrc_t:netlink_route_socket { read write }; allow ifconfig_t initrc_t:netlink_xfrm_socket { read write }; allow ifconfig_t initrc_t:rawip_socket { read write }; allow ifconfig_t initrc_t:udp_socket { read write }; allow ifconfig_t var_lock_t:file { read write }; --- It is even worse, I get "SELinux: failure in selinux_parse_skb(), unable to parse packet" with ping6 2001:1c:9d:1d34:7d57:bd54:1d10:a393 (halko), but not 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 (ashenvale), 2001:1e:574e:2505:264a:b360:d8cc:1d75 (stargazer), 2001:14:766e:fbee:f74d:ec73:d6c5:28c0 (hipserver) So normally "it works", but fails on some HITs. [root@aeris ~]# ping6 -c1 2001:14:766e:fbee:f74d:ec73:d6c5:28c0 PING 2001:14:766e:fbee:f74d:ec73:d6c5:28c0(2001:14:766e:fbee:f74d:ec73:d6c5:28c0) 56 data bytes 64 bytes from 2001:14:766e:fbee:f74d:ec73:d6c5:28c0: icmp_seq=1 ttl=64 time=0.316 ms --- 2001:14:766e:fbee:f74d:ec73:d6c5:28c0 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms [root@aeris ~]# ping6 -c1 2001:1e:574e:2505:264a:b360:d8cc:1d75 PING 2001:1e:574e:2505:264a:b360:d8cc:1d75(2001:1e:574e:2505:264a:b360:d8cc:1d75) 56 data bytes 64 bytes from 2001:1e:574e:2505:264a:b360:d8cc:1d75: icmp_seq=1 ttl=64 time=0.355 ms --- 2001:1e:574e:2505:264a:b360:d8cc:1d75 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms [root@aeris ~]# ping6 -c1 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 PING 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3(2001:1c:cbae:47ae:2871:f9c:eb94:c8e3) 56 data bytes 64 bytes from 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3: icmp_seq=1 ttl=64 time=0.351 ms --- 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms [root@aeris ~]# ping6 -c1 2001:1c:9d:1d34:7d57:bd54:1d10:a393 PING 2001:1c:9d:1d34:7d57:bd54:1d10:a393(2001:1c:9d:1d34:7d57:bd54:1d10:a393) 56 data bytes ping: sendmsg: Operation not permitted ^C --- 2001:1c:9d:1d34:7d57:bd54:1d10:a393 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 547ms HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:0014:766e:fbee:f74d:ec73:d6c5:28c0 Local LSI: 1.0.0.1 Peer LSI: 1.0.0.7 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016 Peer IP: 2001:0708:0140:0220:0211:11ff:fe84:b791 Peer hostname: hipserver.infrahip.net HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Local LSI: 1.0.0.1 Peer LSI: 1.0.0.2 Local IP: 0000:0000:0000:0000:0000:0000:0000:0001 Peer IP: 0000:0000:0000:0000:0000:0000:0000:0001 Peer hostname: aeris.infrahip.net HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:001e:574e:2505:264a:b360:d8cc:1d75 Local LSI: 1.0.0.1 Peer LSI: 1.0.0.3 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016 Peer IP: 2001:0708:0140:0220:0215:60ff:fe9f:60c4 Peer hostname: HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:001c:cbae:47ae:2871:0f9c:eb94:c8e3 Local LSI: 1.0.0.1 Peer LSI: 1.0.0.6 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016 Peer IP: 2001:0708:0140:0220:0000:0000:0000:0555 Peer hostname: ashenvale.infrahip.net HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:001e:359d:5b5f:77fb:19b1:eb03:aa3e Local LSI: 1.0.0.1 Peer LSI: 1.0.0.4 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016 Peer IP: 2001:0708:0140:0220:0213:e8ff:fe82:7341 Peer hostname: HA is ESTABLISHED Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4 Peer HIT: 2001:001c:009d:1d34:7d57:bd54:1d10:a393 Local LSI: 1.0.0.1 Peer LSI: 1.0.0.5 Local IP: 193.167.187.149 Peer IP: 193.167.187.26 Peer hostname: --- >From Samu: Network Labeling: IPSEC/xfrm • Implicit packet labeling via IPSEC/xfrm. • Security context stored in xfrm policy rules and states. • Authorize socket's use of policy based on context. • Build SAs with context of policy. • Included in Linux 2.6.16. • TCP SO_PEERSEC support, UDP SCM_SECURITY support added in Linux 2.6.17. --- >From Samu: http://www.linuxtopia.org/online_books/redhat_selinux_guide/rhlcommon-section-0104.html --- If you manage to get SElinux to work, please include a new section to the manual on this and document the exact steps on how to make it work. You can commit directly to the userspace branch, Samu has a book on SElinux which he promised to bring tomorrow to HIIT, but there should be plenty of material available in the net.