Bug 984690
| Summary: | strongswan needs a few extra permissions | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jamie Nguyen <jamielinux> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 20 | CC: | dominick.grift, dwalsh, jamielinux, mgrepl | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-02-23 15:28:52 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Could you please attach AVC msgs for these rules. Thank you. Created attachment 774163 [details]
AVC logs on F19
Just a note that on EL6, strongswan currently runs as initrc_t so I've not seen any AVC messages. If you introduce the fcontext changes in: https://bugzilla.redhat.com/show_bug.cgi?id=984686 to EL6, as well as the additional one I mention in this comment: https://bugzilla.redhat.com/show_bug.cgi?id=984686#c2 then I get some AVC messages which I'll attach. Created attachment 774164 [details]
AVC logs on EL6 (after adding required fcontexts)
Created attachment 775201 [details]
AVC logs on F19
I am adding fixes to Fedora. Could please clone this bug for RHEL. This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle. Changing version to '20'. More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20 selinux-policy-3.12.1-83.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-83.fc20 Package selinux-policy-3.12.1-83.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-83.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17722/selinux-policy-3.12.1-83.fc20 then log in and leave karma (feedback). Package selinux-policy-3.12.1-84.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-84.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17722/selinux-policy-3.12.1-84.fc20 then log in and leave karma (feedback). |
Description of problem: strongswan fails to start with a fairly simple configuration. Turns out there are a few selinux permissions missing, but that was easily remedied with a custom module.te that I've pasted below. Feel free to suggest what may or may not be a good idea in default policy, but this is the minimal permissions I needed to get strongswan running. Please do commit a fix in rawhide, f19, f18 and el6, that would be much appreciated! :-) require { type ipsec_t; type sysctl_net_t; type dhcpc_port_t; class capability { net_raw setgid }; class netlink_route_socket nlmsg_write; class udp_socket name_bind; class file write; class packet_socket { create setopt }; } #============= ipsec_t ============== allow ipsec_t dhcpc_port_t:udp_socket name_bind; allow ipsec_t self:capability { net_raw setgid }; allow ipsec_t self:netlink_route_socket nlmsg_write; allow ipsec_t self:packet_socket { create setopt }; allow ipsec_t sysctl_net_t:file write;