| Summary: | openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Tuomo Soini <tis> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.0 | CC: | dwalsh, ksrot, mmalik, pwouters | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-80.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 689960 (view as bug list) | Environment: | ||
| Last Closed: | 2011-05-19 12:26:49 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
We should allow this. # startup scripts of pluto need to be able to set ulimit -c unlimited allow ipsec_t ipsec_mgmt_t:process rlimitinh; Fixed in selinux-policy-3.7.19-80.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue. How reproducible: Always avc generated with semodule -DB type=AVC msg=audit(1300825551.591:24204): avc: denied { rlimitinh } for pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process This need to be allowed so that openswan startup can enable coredumps.