On 07/07/10 09:10, Gerard Braad wrote:
I have an issue when running SELinux in targeted mode with openswan
on CentOS 5.
On one node it works well, but another node fails with:
/bin/sh: error while loading shared libraries: libtermcap.so.2: cannot
open shared object file: Permission denied
when I try to do a 'service ipsec start'. with 'setenforce 0' the
service starts.
the output that ends up in my dmesg is:
type=1400 audit(1278489551.987:60): avc: denied { search } for
pid=1278 comm="ipsec" name="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
and as permissive:
type=1404 audit(1278489596.565:78): enforcing=0 old_enforcing=1
auid=4294967295 ses=4294967295
type=1400 audit(1278489600.661:79): avc: denied { search } for
pid=1292 comm="ipsec" name="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
type=1400 audit(1278489600.661:80): avc: denied { getattr } for
pid=1292 comm="ipsec" path="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
type=1400 audit(1278489600.681:81): avc: denied { read } for
pid=1292 comm="addconn" name="libnspr4.so" dev=xvda ino=7696
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=1400 audit(1278489600.681:82): avc: denied { getattr } for
pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=1400 audit(1278489600.681:83): avc: denied { execute } for
pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=1400 audit(1278489600.693:84): avc: denied { read } for
pid=1295 comm="ipsec" name="sh" dev=xvda ino=25126
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
type=1400 audit(1278489600.697:85): avc: denied { execute_no_trans }
for pid=1298 comm="_realsetup" path="/sbin/ip" dev=xvda ino=7805
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=1400 audit(1278489600.701:86): avc: denied { create } for
pid=1298 comm="ip" scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket
The target contexts in most of these denials are file_t, indicating a
labelling problem. Has the system been run with SELinux in disabled mode
for some time? I'd suggest relabelling and trying again.
Paul.