[strongswan] #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/ra

Pavel Šimerda pavlix at fedoraproject.org
Wed Feb 19 09:29:36 UTC 2014 

commit b97f57cef970bac0c5ca8a4a335b6b269cdc146f
Author: Pavel Šimerda <psimerda at redhat.com>
Date:   Wed Feb 19 10:15:54 2014 +0100

    #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random

 strongswan-5.1.1-selinux.patch |   26 ++++++++++++++++++++++++++
 strongswan.spec                |    7 ++++++-
 2 files changed, 32 insertions(+), 1 deletions(-)
---
diff --git a/strongswan-5.1.1-selinux.patch b/strongswan-5.1.1-selinux.patch
new file mode 100644
index 0000000..e599099
--- /dev/null
+++ b/strongswan-5.1.1-selinux.patch
@@ -0,0 +1,26 @@
+diff --git a/src/charon/charon.c b/src/charon/charon.c
+index 089ac45..b644977 100644
+--- a/src/charon/charon.c
++++ b/src/charon/charon.c
+@@ -226,7 +226,7 @@ static bool check_pidfile()
+ 	}
+ 
+ 	/* create new pidfile */
+-	pidfile = fopen(PID_FILE, "w");
++	pidfile = fopen(PID_FILE, "we");
+ 	if (pidfile)
+ 	{
+ 		ignore_result(fchown(fileno(pidfile),
+diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
+index 1f10792..c79e87a 100644
+--- a/src/libstrongswan/plugins/random/random_plugin.c
++++ b/src/libstrongswan/plugins/random/random_plugin.c
+@@ -83,7 +83,7 @@ bool random_plugin_get_strong_equals_true()
+  */
+ static bool open_dev(char *file, int *fd)
+ {
+-	*fd = open(file, O_RDONLY);
++	*fd = open(file, O_RDONLY | O_CLOEXEC);
+ 	if (*fd == -1)
+ 	{
+ 		DBG1(DBG_LIB, "opening \"%s\" failed: %s", file, strerror(errno));
diff --git a/strongswan.spec b/strongswan.spec
index 339b2d1..d6b28b8 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -9,7 +9,7 @@
 
 Name:           strongswan
 Version:        5.1.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        An OpenSource IPsec-based VPN Solution
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -21,6 +21,7 @@ Patch2:         libstrongswan-plugin.patch
 Patch3:         libstrongswan-settings-debug.patch
 Patch4:         libstrongswan-973315.patch
 Patch5:         strongswan-1036844.patch
+Patch6:		strongswan-5.1.1-selinux.patch
 
 BuildRequires:  gmp-devel autoconf automake
 BuildRequires:  libcurl-devel
@@ -83,6 +84,7 @@ implementation possessing a standard IF-IMC/IMV interface.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
 
@@ -336,6 +338,9 @@ fi
 
 
 %changelog
+* Wed Feb 19 2014 Pavel Šimerda <psimerda at redhat.com> - 5.1.1-5
+- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
+
 * Thu Jan 09 2014 Pavel Šimerda <psimerda at redhat.com> - 5.1.1-4
 - Removed redundant patches and *.spec commands caused by branch merging

More information about the scm-commits mailing list