Bug 748971
| Summary: | missing SELinux rules cause openswan labeled IPsec to fail | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Joshua Roys <roysjosh> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dwalsh, mmalik, syeghiay |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 12:28:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I would say this is fixed in the latest RHEL6 (I will be able to check it tomorrow). You could try it with the latest release available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Hi Joshua, if you upgrade selinux-policy packages to 3.7.19-145.el6, do you still see the problem ? Packages are available at http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |
Description of problem: missing allow rules lead to no labeled ipsec for openswan (ipsec_t). There are equivalent allows for racoon (racoon_t). Version-Release number of selected component (if applicable): selinux-policy-3.7.19-93.el6_1.7 How reproducible: setup labeled ipsec in enforcing Actual results: no labeled ipsec Expected results: labeled ipsec Additional info: policy_module(ipsec-local, 1.0.0) require { type ifconfig_t; type ipsec_t; } allow ipsec_t self:netlink_selinux_socket { bind create read }; allow ifconfig_t ipsec_t:unix_stream_socket { read write }; selinux_compute_access_vector(ipsec_t)