Bug 591975
Summary: | SELinux denies write and read to socket during openswan connection | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Aleš Mareček <amarecek> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 5.4.z | CC: | avagarwa, ebenes, jrieden, mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-01-13 21:49:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aleš Mareček
2010-05-13 15:20:34 UTC
THis is either a leaked file descriptor from openswan or a redirection of stdout or stderr. In RHEL6 audit2allow reports. audit2allow -i /tmp/t #============= ifconfig_t ============== #!!!! This avc is allowed in the current policy allow ifconfig_t ipsec_t:fifo_file write; #============= ipsec_mgmt_t ============== #!!!! This avc has a dontaudit rule in the current policy allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write } Miroslav can you see if these rules are in 5.5 policy? Does not look like these are in RHEL5 yet. Miroslav, Please backport the fixes in sysnetwork.if and ipsec.te Fixed in selinux-policy-2.4.6-281.el5.noarch Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |