Bug 994483
| Summary: | SELinux is preventing /usr/bin/mkdir from 'create' accesses on the directory pluto. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gerd Hoffmann <kraxel> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | mmalik |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:e832823612792897f87af7438254269cd42c0657e1aa43db3c77dd061e3faa57 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 11:01:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you test it with the latest policy builds. Retested with selinux-policy-3.12.1-69.el7.noarch, still happens. If you switch to permissive and run # ls -dZ /run/pluto what does it show? [root@nilsson ~]# ls -dZ /run/pluto drwx------. root root system_u:object_r:var_run_t:s0 /run/pluto Grabbed libreswan-3.5-1.el7.x86_64 (which will replace openswan in rhel7 according to tech-list) from brew, tried again, same result. # restorecon -R -v /run/pluto
will fix it.
commit d55febf21b41bb0b430dc1bcc81759e085aba9a9
Author: Miroslav Grepl <mgrepl>
Date: Mon Aug 19 12:19:50 2013 +0200
Make sure /run/pluto dir is created with correct labeling
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: try start ipsec vpn connection SELinux is preventing /usr/bin/mkdir from 'create' accesses on the directory pluto. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mkdir should be allowed create access on the pluto directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkdir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ipsec_mgmt_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects pluto [ dir ] Source mkdir Source Path /usr/bin/mkdir Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-11.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-56.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-6.el7.x86_64 #1 SMP Tue Aug 6 17:22:48 EDT 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-08-07 13:13:26 CEST Last Seen 2013-08-07 13:13:26 CEST Local ID 90a67b3a-bbac-4659-9474-72e7f2378355 Raw Audit Messages type=AVC msg=audit(1375874006.489:497): avc: denied { create } for pid=2921 comm="mkdir" name="pluto" scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1375874006.489:497): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fff98d4beb0 a1=1ed a2=1ed a3=3f363bacac items=0 ppid=2918 pid=2921 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mkdir exe=/usr/bin/mkdir subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null) Hash: mkdir,ipsec_mgmt_t,var_run_t,dir,create Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.10.0-6.el7.x86_64 type: libreport