On Mon, Aug 17, 2009 at 10:59:59AM +0200, Daniel Fazekas wrote:
selinux-policy-3.6.12-72.fc11.noarch
selinux-policy-targeted-3.6.12-72.fc11.noarch
ipsec-tools-0.7.2-1.fc11.x86_64
I'm getting a handful of racoon denials with what I believe is a pretty
common setup — is there anything I could be doing differently?
allow racoon_t shadow_t:file { read getattr open };
Well i can give you some direction into how to allow this stuff but i am not confident as
to wheter its the right this to do and i also have not tested any of it.
but in theory:
echo "policy_module(myracoon, 0.0.1)" > myracoon.te;
echo "require { type racoon_t; }" >> myracoon.te;
echo "auth_read_shadow(racoon_t)" >> myracoon.te;
This is needed for racoon to do XAuth logins with the default
auth_source of system. Unfortunately that's the only option available
with racoon as supplied in Fedora 11, as support for pam/ldap/radius
isn't built in.
The rest is all caused by my having a phase1_up/down script in /etc/
racoon/scripts (the directory and the script are both
system_u:object_r:bin_t:s0).
allow racoon_t setkey_exec_t:file { read execute open execute_no_trans };
allow racoon_t fs_t:filesystem getattr;
allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
allow racoon_t tmp_t:file { write getattr read create unlink open };
echo "setkey_domtrans(racoon_t)" >> myracoon.te;
echo "fs_dontaudit_getattr_xattr_fs(racoon_t)" >> myracoon.te;
echo "type racoon_tmp_t;" >> myracoon.te;
echo "files_tmp_file(racoon_tmp_t)" >> myracoon.te;
echo "manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >>
myracoon.te;
echo "manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >>
myracoon.te;
echo "files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })" >>
myracoon.te;
make -f /usr/share/selinux/devel/Makefile myracoon.pp
sudo semodule -i myracoon.pp
This is just the rules translated into policy. I am not positive whether racoon or setkey
creates the object in tmp, read shadow, and get attributes of fs_t:filesystem.
This policy assumes racoon_t does all that.
Calling /sbin/setkey to add and remove SPDs is the primary reason to
have an up/down script.
The fs_t and tmp_t accesses are less clear why they are necessary. It's a
/bin/sh script which isn't doing anything other than calling /
sbin/setkey.
type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for
pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for
pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for
pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for
pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name } for
pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for
pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.674:27323): avc: denied { write open }
for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
ino=218 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for
pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0
ino=218 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for
pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
ino=218
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name }
for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
ino=218 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for
pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
ino=218
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for
pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc: denied { read open }
for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc: denied {
execute_no_trans } for pid=5436 comm="l2tp_up_down"
path="/sbin/setkey"
dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for
pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc: denied { read open }
for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc: denied {
execute_no_trans } for pid=5533 comm="l2tp_up_down"
path="/sbin/setkey"
dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for
pid=5533 comm="setkey"
path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429
dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list