Bug 481710
Summary: | Openswan SElinux denials | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Brady <bradyr1> |
Component: | openwsman | Assignee: | srinivas <srinivas_ramanatha> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | joe, matt_domsch, srinivas_ramanatha |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-14 16:30:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Brady
2009-01-27 10:04:17 UTC
[root@fiona log]# grep ipsec audit/audit.log* | grep denied audit/audit.log:type=AVC msg=audit(1236729171.744:5): avc: denied { create } for pid=2550 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1235662140.142:5): avc: denied { create } for pid=2473 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1235838798.322:5): avc: denied { create } for pid=2483 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236556624.237:5): avc: denied { create } for pid=2512 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236557705.065:5): avc: denied { create } for pid=2520 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236562019.917:5): avc: denied { create } for pid=2516 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236564100.537:5): avc: denied { create } for pid=2546 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236565573.844:5): avc: denied { create } for pid=2547 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.1:type=AVC msg=audit(1236607762.164:5): avc: denied { create } for pid=2552 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.2:type=AVC msg=audit(1234891415.043:16618): avc: denied { create } for pid=14741 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file audit/audit.log.2:type=AVC msg=audit(1234891576.327:16644): avc: denied { create } for pid=15183 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file audit/audit.log.2:type=AVC msg=audit(1234893334.424:16727): avc: denied { create } for pid=15656 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file audit/audit.log.2:type=AVC msg=audit(1234894854.923:16841): avc: denied { create } for pid=16184 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file audit/audit.log.3:type=AVC msg=audit(1233461592.584:5): avc: denied { create } for pid=2503 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file audit/audit.log.3:type=AVC msg=audit(1233965028.361:5): avc: denied { create } for pid=2514 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file [root@fiona log]# grep ipsec audit/audit.log* | grep denied | audit2allow #============= ipsec_t ============== allow ipsec_t tmp_t:file create; I think this is /usr/libexec/ipsec/lwdnsq trying to create a log. Not sure it makes sense. [root@sun log]# tail -n 500 audit/audit.log | grep ipsec [root@sun log]# service ipsec start ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.19-78.2.30.fc9.i686... [root@sun log]# service ipsec status IPsec stopped but... has subsystem lock (/var/lock/subsys/ipsec)! [root@sun log]# tail -n 500 audit/audit.log | grep ipsec type=AVC msg=audit(1236757425.419:23): avc: denied { sendto } for pid=3792 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757425.419:23): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf949770 a2=d5eff4 a3=14 items=0 ppid=3791 pid=3792 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757427.783:24): avc: denied { sendto } for pid=3960 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757427.783:24): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb42990 a2=d5eff4 a3=14 items=0 ppid=3958 pid=3960 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757427.787:25): avc: denied { sendto } for pid=3967 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757427.787:25): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf8bdf10 a2=d5eff4 a3=14 items=0 ppid=3774 pid=3967 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757427.826:26): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757427.826:26): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757428.510:27): avc: denied { name_bind } for pid=3964 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1236757428.510:27): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfeea900 a2=3fb808 a3=10 items=0 ppid=3962 pid=3964 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1236757428.528:28): avc: denied { write } for pid=4081 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1236757428.528:28): arch=40000003 syscall=5 success=no exit=-13 a0=9bf698 a1=442 a2=1b6 a3=440 items=0 ppid=3964 pid=4081 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1236757428.530:29): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757428.530:29): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757428.533:30): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757428.533:30): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757428.533:31): avc: denied { sendto } for pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757428.533:31): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757438.557:32): avc: denied { write } for pid=4093 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1236757438.557:32): arch=40000003 syscall=33 success=no exit=-13 a0=964ef88 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4093 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757438.559:33): avc: denied { sendto } for pid=4100 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757438.559:33): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc09a40 a2=d5eff4 a3=8dd91b8 items=0 ppid=4093 pid=4100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757438.566:34): avc: denied { write } for pid=4101 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1236757438.566:34): arch=40000003 syscall=33 success=no exit=-13 a0=9138f98 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4101 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1236757438.567:35): avc: denied { sendto } for pid=4108 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1236757438.567:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd1db60 a2=d5eff4 a3=9b0d1b8 items=0 ppid=4101 pid=4108 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) [root@sun log]# [root@sun log]# tail -n 500 audit/audit.log | grep ipsec |audit2allow #============= ipsec_mgmt_t ============== allow ipsec_mgmt_t root_t:dir write; allow ipsec_mgmt_t syslogd_t:unix_dgram_socket sendto; #============= ipsec_t ============== allow ipsec_t isakmp_port_t:udp_socket name_bind; allow ipsec_t tmp_t:dir write; [root@sun log]# Attempting to start ipsec generates these errors now Summary: SELinux is preventing logger (ipsec_mgmt_t) "sendto" syslogd_t. Detailed Description: SELinux denied access requested by logger. It is not expected that this access is required by logger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context system_u:system_r:syslogd_t:s0 Target Objects /dev/log [ unix_dgram_socket ] Source logger Source Path /usr/bin/logger Port <Unknown> Host sun.nixtec.net Source RPM Packages util-linux-ng-2.13.1-8.3.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-125.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name sun.nixtec.net Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1 SMP Tue Feb 24 20:09:23 EST 2009 i686 i686 Alert Count 70 First Seen Tue 27 Jan 2009 06:37:45 PM EST Last Seen Wed 11 Mar 2009 05:51:50 PM EST Local ID 320c8a9f-d7e6-4776-82c6-b7dbbfe4eb85 Line Numbers Raw Audit Messages node=sun.nixtec.net type=AVC msg=audit(1236757910.970:79): avc: denied { sendto } for pid=5547 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:79): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa9b8d0 a2=d5eff4 a3=91be1b8 items=0 ppid=5540 pid=5547 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) SELinux is preventing setup (ipsec_mgmt_t) "write" to / (root_t). The SELinux type root_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (/) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v '/'. If the file context does not change from root_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v '/' Fix Command: restorecon '/' Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects / [ dir ] Source setup Source Path /bin/bash Port <Unknown> Host sun.nixtec.net Source RPM Packages bash-3.2-23.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-125.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mislabeled_file Host Name sun.nixtec.net Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1 SMP Tue Feb 24 20:09:23 EST 2009 i686 i686 Alert Count 14 First Seen Tue 27 Jan 2009 06:37:57 PM EST Last Seen Wed 11 Mar 2009 05:51:50 PM EST Local ID 3f7d36a7-dba6-4344-8e54-ce916648ec43 Line Numbers Raw Audit Messages node=sun.nixtec.net type=AVC msg=audit(1236757910.970:78): avc: denied { write } for pid=5540 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:78): arch=40000003 syscall=33 success=no exit=-13 a0=9baaf98 a1=2 a2=d5eff4 a3=0 items=0 ppid=5526 pid=5540 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) SELinux is preventing pluto (ipsec_t) "name_bind" isakmp_port_t. Detailed Description: SELinux denied access requested by pluto. It is not expected that this access is required by pluto and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ipsec_t:s0 Target Context system_u:object_r:isakmp_port_t:s0 Target Objects None [ udp_socket ] Source pluto Source Path /usr/libexec/ipsec/pluto Port 500 Host sun.nixtec.net Source RPM Packages openswan-2.6.19-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-125.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name sun.nixtec.net Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1 SMP Tue Feb 24 20:09:23 EST 2009 i686 i686 Alert Count 7 First Seen Tue 27 Jan 2009 06:37:46 PM EST Last Seen Wed 11 Mar 2009 05:51:39 PM EST Local ID 1d1ec829-d7b2-4da5-baa1-4ee7c7c3ecfc Line Numbers Raw Audit Messages node=sun.nixtec.net type=AVC msg=audit(1236757899.930:72): avc: denied { name_bind } for pid=5477 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:72): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfb5b820 a2=95b808 a3=10 items=0 ppid=5475 pid=5477 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) SELinux is preventing the lwdnsq from using potentially mislabeled files (./tmp). Detailed Description: SELinux has denied lwdnsq access to potentially mislabeled file(s) (./tmp). This means that SELinux will not allow lwdnsq to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want lwdnsq to access this files, you need to relabel them using restorecon -v './tmp'. You might want to relabel the entire directory using restorecon -R -v './tmp'. Additional Information: Source Context unconfined_u:system_r:ipsec_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects ./tmp [ dir ] Source lwdnsq Source Path /usr/libexec/ipsec/lwdnsq Port <Unknown> Host sun.nixtec.net Source RPM Packages openswan-2.6.19-1.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-125.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name sun.nixtec.net Platform Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1 SMP Tue Feb 24 20:09:23 EST 2009 i686 i686 Alert Count 7 First Seen Tue 27 Jan 2009 06:37:46 PM EST Last Seen Wed 11 Mar 2009 05:51:39 PM EST Local ID 73c1ec1b-496c-405d-992e-6e1ef0f9dffc Line Numbers Raw Audit Messages node=sun.nixtec.net type=AVC msg=audit(1236757899.930:71): avc: denied { write } for pid=5521 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:71): arch=40000003 syscall=5 success=no exit=-13 a0=88a698 a1=442 a2=1b6 a3=440 items=0 ppid=5477 pid=5521 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |