Bug 386391
Summary: | SELinux is preventing racoon (racoon_t) "name_bind" to (ipsecnat_port_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Davidson <james> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | gauret |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-30 19:20:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Davidson
2007-11-16 07:22:29 UTC
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-57.fc8 I still have this problem with selinux-policy-targeted-3.0.8-62.fc8 On top of that, racoon is not allowed to write its pid file. I had to add the following policy module : module racoonipsecnat 1.0; require { type ipsecnat_port_t; type racoon_t; type var_run_t; class udp_socket name_bind; class file { read write }; } #============= racoon_t ============== allow racoon_t ipsecnat_port_t:udp_socket name_bind; allow racoon_t var_run_t:file write; You are right. There is a bug in the policy and we need a label for /var/run/racoon.pid selinux-policy-targeted-3.0.8-65.fc8 chcon -t ipsec_var_run_t /var/run/racoon.pid Should eliminate the need for the second rule. Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |