Bug 545369
| Summary: | strict policy blocks 'racoonctl show-sa ipsec' in enforcing mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy-strict | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.4 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-30 07:49:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I added ######################################## ## <summary> ## Connect to racoon using a unix domain stream socket. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`ipsec_stream_connect_racoon',` gen_require(` type racoon_t, ipsec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) ') ipsec_stream_connect_racoon(sysadm_t) To F12. Fixed in selinux-policy-2.4.6-266.el5.noarch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-255.el5 selinux-policy-strict-2.4.6-255.el5 selinux-policy-devel-2.4.6-255.el5 selinux-policy-2.4.6-255.el5 selinux-policy-targeted-2.4.6-255.el5 ipsec-tools-0.6.5-13.el5_3.1 How reproducible: always Steps to Reproduce: # setenforce 1 # racoon -v # ps ax | grep -i racoon 9436 ? Ss 0:00 racoon -v 9445 ttySG0 S+ 0:00 grep -i racoon # matchpathcon /var/racoon /var/racoon system_u:object_r:ipsec_var_run_t # matchpathcon /var/racoon/racoon.sock /var/racoon/racoon.sock system_u:object_r:ipsec_var_run_t # restorecon -Rv /var/racoon # racoonctl show-sa ipsec send: Bad file descriptor # ausearch -m AVC -ts recent ---- time->Tue Dec 8 05:35:38 2009 type=SYSCALL msg=audit(1260268538.518:102): arch=c0000032 syscall=1192 success=yes exit=0 a0=3 a1=60000fffff91394a a2=6e a3=40000000000215d8 items=0 ppid=9110 pid=9442 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttySG0 ses=5 comm="racoonctl" exe="/usr/sbin/racoonctl" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1260268538.518:102): avc: denied { connectto } for pid=9442 comm="racoonctl" path="/var/racoon/racoon.sock" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:system_r:racoon_t:s0-s0:c0.c1023 tclass=unix_stream_socket # setenforce 0 # racoonctl show-sa ipsec No SAD entries. # Actual results: AVC Expected results: no AVCs