openswan start denied by selinux if a custom log file is used
Manuel Wolfshant
wolfy at nobugconsulting.ro
Mon May 20 09:36:57 UTC 2013
On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
> Hello
>
> I am using CentOS 6.4 and I want to store the logs from openswan
> into a different file ( /var/log/ipsec ) than the default. For this
> purpose I added
>
> plutostderrlog=/var/log/ipsec
>
> to ipsec.conf.
> As long as I keep the server in permissive mode, openswan starts
> OK. If, however, I switch to enforcing, the daemon refuses to start
> with the following error message displayed in the console:
>
> ipsec_setup: Starting Openswan IPsec
> U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
> ipsec_setup: Cannot write to "/var/log/ipsec".
>
> The audit log does not record anything useful so I tried to switch
> dontaudit to off and see if anything useful comes out. After running
> audit2allow and a bit of trial and error I came out with the following
> custom policy :
>
> module myipsec 1.0;
>
> require {
> type ipsec_t;
>
Sorry, this line is:
type ipsec_mgmt_t;
> type var_log_t;
> class file { write ioctl getattr append };
> }
>
> #============= ipsec_mgmt_t ==============
>
> allow ipsec_mgmt_t var_log_t:file write;
>
>
> The above policy worked for me but I am wondering if it is OK (I
> am mostly confused by the fact that the class includes " write ioctl
> getattr append " but the rule has only "write" ). And, assuming it is
> OK can this custom policy ( or the corrected one if needed ) be
> included in the default policy ?
>
> TIA
>
> manuel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130520/f21102aa/attachment.html>
More information about the selinux
mailing list