Bug 481710
| Summary: | Openswan SElinux denials | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Brady <bradyr1> |
| Component: | openwsman | Assignee: | srinivas <srinivas_ramanatha> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | joe, matt_domsch, srinivas_ramanatha |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-07-14 16:30:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Robert Brady
2009-01-27 10:04:17 UTC
[root@fiona log]# grep ipsec audit/audit.log* | grep denied
audit/audit.log:type=AVC msg=audit(1236729171.744:5): avc: denied { create } for pid=2550 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1235662140.142:5): avc: denied { create } for pid=2473 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1235838798.322:5): avc: denied { create } for pid=2483 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236556624.237:5): avc: denied { create } for pid=2512 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236557705.065:5): avc: denied { create } for pid=2520 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236562019.917:5): avc: denied { create } for pid=2516 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236564100.537:5): avc: denied { create } for pid=2546 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236565573.844:5): avc: denied { create } for pid=2547 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236607762.164:5): avc: denied { create } for pid=2552 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234891415.043:16618): avc: denied { create } for pid=14741 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234891576.327:16644): avc: denied { create } for pid=15183 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234893334.424:16727): avc: denied { create } for pid=15656 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234894854.923:16841): avc: denied { create } for pid=16184 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.3:type=AVC msg=audit(1233461592.584:5): avc: denied { create } for pid=2503 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.3:type=AVC msg=audit(1233965028.361:5): avc: denied { create } for pid=2514 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
[root@fiona log]# grep ipsec audit/audit.log* | grep denied | audit2allow
#============= ipsec_t ==============
allow ipsec_t tmp_t:file create;
I think this is /usr/libexec/ipsec/lwdnsq trying to create a log. Not sure it makes sense.
[root@sun log]# tail -n 500 audit/audit.log | grep ipsec
[root@sun log]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.19-78.2.30.fc9.i686...
[root@sun log]# service ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!
[root@sun log]# tail -n 500 audit/audit.log | grep ipsec
type=AVC msg=audit(1236757425.419:23): avc: denied { sendto } for pid=3792 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757425.419:23): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf949770 a2=d5eff4 a3=14 items=0 ppid=3791 pid=3792 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.783:24): avc: denied { sendto } for pid=3960 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.783:24): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb42990 a2=d5eff4 a3=14 items=0 ppid=3958 pid=3960 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.787:25): avc: denied { sendto } for pid=3967 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.787:25): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf8bdf10 a2=d5eff4 a3=14 items=0 ppid=3774 pid=3967 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.826:26): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.826:26): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.510:27): avc: denied { name_bind } for pid=3964 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1236757428.510:27): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfeea900 a2=3fb808 a3=10 items=0 ppid=3962 pid=3964 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1236757428.528:28): avc: denied { write } for pid=4081 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757428.528:28): arch=40000003 syscall=5 success=no exit=-13 a0=9bf698 a1=442 a2=1b6 a3=440 items=0 ppid=3964 pid=4081 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1236757428.530:29): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.530:29): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.533:30): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.533:30): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.533:31): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.533:31): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.557:32): avc: denied { write } for pid=4093 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757438.557:32): arch=40000003 syscall=33 success=no exit=-13 a0=964ef88 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4093 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.559:33): avc: denied { sendto } for pid=4100 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757438.559:33): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc09a40 a2=d5eff4 a3=8dd91b8 items=0 ppid=4093 pid=4100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.566:34): avc: denied { write } for pid=4101 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757438.566:34): arch=40000003 syscall=33 success=no exit=-13 a0=9138f98 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4101 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.567:35): avc: denied { sendto } for pid=4108 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757438.567:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd1db60 a2=d5eff4 a3=9b0d1b8 items=0 ppid=4101 pid=4108 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
[root@sun log]#
[root@sun log]# tail -n 500 audit/audit.log | grep ipsec |audit2allow
#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t root_t:dir write;
allow ipsec_mgmt_t syslogd_t:unix_dgram_socket sendto;
#============= ipsec_t ==============
allow ipsec_t isakmp_port_t:udp_socket name_bind;
allow ipsec_t tmp_t:dir write;
[root@sun log]#
Attempting to start ipsec generates these errors now
Summary:
SELinux is preventing logger (ipsec_mgmt_t) "sendto" syslogd_t.
Detailed Description:
SELinux denied access requested by logger. It is not expected that this access
is required by logger and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context system_u:system_r:syslogd_t:s0
Target Objects /dev/log [ unix_dgram_socket ]
Source logger
Source Path /usr/bin/logger
Port <Unknown>
Host sun.nixtec.net
Source RPM Packages util-linux-ng-2.13.1-8.3.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-125.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name sun.nixtec.net
Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count 70
First Seen Tue 27 Jan 2009 06:37:45 PM EST
Last Seen Wed 11 Mar 2009 05:51:50 PM EST
Local ID 320c8a9f-d7e6-4776-82c6-b7dbbfe4eb85
Line Numbers
Raw Audit Messages
node=sun.nixtec.net type=AVC msg=audit(1236757910.970:79): avc: denied { sendto } for pid=5547 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:79): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa9b8d0 a2=d5eff4 a3=91be1b8 items=0 ppid=5540 pid=5547 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
SELinux is preventing setup (ipsec_mgmt_t) "write" to / (root_t). The SELinux
type root_t, is a generic type for all files in the directory and very few
processes (SELinux Domains) are allowed to write to this SELinux type. This type
of denial usual indicates a mislabeled file. By default a file created in a
directory has the gets the context of the parent directory, but SELinux policy
has rules about the creation of directories, that say if a process running in
one SELinux Domain (D1) creates a file in a directory with a particular SELinux
File Context (F1) the file gets a different File Context (F2). The policy
usually allows the SELinux Domain (D1) the ability to write, unlink, and append
on (F2). But if for some reason a file (/) was created with the wrong context,
this domain will be denied. The usual solution to this problem is to reset the
file context on the target file, restorecon -v '/'. If the file context does not
change from root_t, then this is probably a bug in policy. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy package. If it does change, you can try your application again to
see if it works. The file context could have been mislabeled by editing the file
or moving the file from a different directory, if the file keeps getting
mislabeled, check the init scripts to see if they are doing something to
mislabel the file.
Allowing Access:
You can attempt to fix file context by executing restorecon -v '/'
Fix Command:
restorecon '/'
Additional Information:
Source Context unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context system_u:object_r:root_t:s0
Target Objects / [ dir ]
Source setup
Source Path /bin/bash
Port <Unknown>
Host sun.nixtec.net
Source RPM Packages bash-3.2-23.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-125.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name sun.nixtec.net
Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count 14
First Seen Tue 27 Jan 2009 06:37:57 PM EST
Last Seen Wed 11 Mar 2009 05:51:50 PM EST
Local ID 3f7d36a7-dba6-4344-8e54-ce916648ec43
Line Numbers
Raw Audit Messages
node=sun.nixtec.net type=AVC msg=audit(1236757910.970:78): avc: denied { write } for pid=5540 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:78): arch=40000003 syscall=33 success=no exit=-13 a0=9baaf98 a1=2 a2=d5eff4 a3=0 items=0 ppid=5526 pid=5540 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
SELinux is preventing pluto (ipsec_t) "name_bind" isakmp_port_t.
Detailed Description:
SELinux denied access requested by pluto. It is not expected that this access is
required by pluto and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:ipsec_t:s0
Target Context system_u:object_r:isakmp_port_t:s0
Target Objects None [ udp_socket ]
Source pluto
Source Path /usr/libexec/ipsec/pluto
Port 500
Host sun.nixtec.net
Source RPM Packages openswan-2.6.19-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-125.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name sun.nixtec.net
Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count 7
First Seen Tue 27 Jan 2009 06:37:46 PM EST
Last Seen Wed 11 Mar 2009 05:51:39 PM EST
Local ID 1d1ec829-d7b2-4da5-baa1-4ee7c7c3ecfc
Line Numbers
Raw Audit Messages
node=sun.nixtec.net type=AVC msg=audit(1236757899.930:72): avc: denied { name_bind } for pid=5477 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:72): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfb5b820 a2=95b808 a3=10 items=0 ppid=5475 pid=5477 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
SELinux is preventing the lwdnsq from using potentially mislabeled files
(./tmp).
Detailed Description:
SELinux has denied lwdnsq access to potentially mislabeled file(s) (./tmp). This
means that SELinux will not allow lwdnsq to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.
Allowing Access:
If you want lwdnsq to access this files, you need to relabel them using
restorecon -v './tmp'. You might want to relabel the entire directory using
restorecon -R -v './tmp'.
Additional Information:
Source Context unconfined_u:system_r:ipsec_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects ./tmp [ dir ]
Source lwdnsq
Source Path /usr/libexec/ipsec/lwdnsq
Port <Unknown>
Host sun.nixtec.net
Source RPM Packages openswan-2.6.19-1.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-125.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name sun.nixtec.net
Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count 7
First Seen Tue 27 Jan 2009 06:37:46 PM EST
Last Seen Wed 11 Mar 2009 05:51:39 PM EST
Local ID 73c1ec1b-496c-405d-992e-6e1ef0f9dffc
Line Numbers
Raw Audit Messages
node=sun.nixtec.net type=AVC msg=audit(1236757899.930:71): avc: denied { write } for pid=5521 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:71): arch=40000003 syscall=5 success=no exit=-13 a0=88a698 a1=442 a2=1b6 a3=440 items=0 ppid=5477 pid=5521 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |