| Summary: | SELinux is preventing /usr/libexec/ipsec/pluto from 'write' accesses on the file /etc/ipsec.d/cert8.db. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Hedayat Vatankhah <hedayatv> |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, jdayer, lvrabec, mgrepl, pwouters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:5a0bab2504d68b97e0a2ffbd8cd5ee448825dd0042dcd2ca099e9bb1ff125cb5 | ||
| Fixed In Version: | libreswan-3.10-3.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-19 10:12:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Why does libreswan/pluto trying to write into a config directory? Right now, nothing, so I'm testing using NSS_Init() versus NSS_InitReadWrite() which seems to work fine, However, if we have incoming CRLs that are fetched by pluto, (thread, helper process or other method like cronjob) we need to store those for future use. I'm not (yet) sure if we can store the CRLs in a different nss db file in /var/lib/pluto/ Well I can setup labeling on /etc/ipsec.d for this if necessary, although I would prefer not. Description of problem: Trying to use an ipsec tunnel Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.11.3-201.fc19.x86_64 type: libreport dwalsh: libreswan 3.6 will open the db files readonly Great. libreswan-3.9-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libreswan-3.9-1.fc20 libreswan-3.9-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/libreswan-3.9-1.fc19 Package libreswan-3.9-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libreswan-3.9-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8272/libreswan-3.9-1.fc19 then log in and leave karma (feedback). libreswan-3.10-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libreswan-3.10-3.fc20 libreswan-3.10-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/libreswan-3.10-3.fc19 libreswan-3.10-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. libreswan-3.10-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Trying to connect to an L2TP VPN with ipsec enabled SELinux is preventing /usr/libexec/ipsec/pluto from 'write' accesses on the file /etc/ipsec.d/cert8.db. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow pluto to have write access on the cert8.db file Then you need to change the label on /etc/ipsec.d/cert8.db Do # semanage fcontext -a -t FILE_TYPE '/etc/ipsec.d/cert8.db' where FILE_TYPE is one of the following: afs_cache_t, initrc_tmp_t, ipsec_key_file_t, ipsec_tmp_t, ipsec_var_run_t, net_conf_t, puppet_tmp_t, security_t, user_cron_spool_t. Then execute: restorecon -v '/etc/ipsec.d/cert8.db' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that pluto should be allowed write access on the cert8.db file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pluto /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ipsec_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects /etc/ipsec.d/cert8.db [ file ] Source pluto Source Path /usr/libexec/ipsec/pluto Port <Unknown> Host (removed) Source RPM Packages libreswan-3.5-2.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.8.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.11.3-201.fc19.x86_64 #1 SMP Thu Oct 3 00:47:03 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-10-07 14:58:35 IRST Last Seen 2013-10-07 14:58:51 IRST Local ID 9901f76a-96ed-4b78-bb1d-7142bd740ece Raw Audit Messages type=AVC msg=audit(1381145331.944:639): avc: denied { write } for pid=26311 comm="pluto" name="cert8.db" dev="sda6" ino=2101181 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1381145331.944:639): arch=x86_64 syscall=open success=yes exit=EINTR a0=7fe1f8979210 a1=2 a2=180 a3=0 items=0 ppid=26310 pid=26311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) Hash: pluto,ipsec_t,etc_t,file,write Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.11.3-201.fc19.x86_64 type: libreport