Bug 386391
| Summary: | SELinux is preventing racoon (racoon_t) "name_bind" to (ipsecnat_port_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Davidson <james> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | gauret |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:20:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-57.fc8 I still have this problem with selinux-policy-targeted-3.0.8-62.fc8 On top of that, racoon is not allowed to write its pid file. I had to add the
following policy module :
module racoonipsecnat 1.0;
require {
type ipsecnat_port_t;
type racoon_t;
type var_run_t;
class udp_socket name_bind;
class file { read write };
}
#============= racoon_t ==============
allow racoon_t ipsecnat_port_t:udp_socket name_bind;
allow racoon_t var_run_t:file write;
You are right. There is a bug in the policy and we need a label for /var/run/racoon.pid selinux-policy-targeted-3.0.8-65.fc8 chcon -t ipsec_var_run_t /var/run/racoon.pid Should eliminate the need for the second rule. Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |
Detailed Description SELinux denied access requested by racoon. It is not expected that this access is required by racoon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Additional Information Source Context: system_u:system_r:racoon_t:s0 Target Context: system_u:object_r:ipsecnat_port_t:s0 Target Objects: None [ udp_socket ] Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-53.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall Host Name: aragorn.localdomain Platform: Linux aragorn.localdomain 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 Alert Count: 3 First Seen: Thu 15 Nov 2007 09:47:53 PM PST Last Seen: Thu 15 Nov 2007 10:59:01 PM PST Local ID: 437cf221-fedf-4601-a5b9-3e378b4cb8fc Line Numbers: Raw Audit Messages : avc: denied { name_bind } for comm=racoon pid=4845 scontext=system_u:system_r:racoon_t:s0 src=4500 tclass=udp_socket tcontext=system_u:object_r:ipsecnat_port_t:s0