This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1003288 - SELinux prevents systemd strongswan.service from auto starting
SELinux prevents systemd strongswan.service from auto starting
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-01 13:21 EDT by Robby
Modified: 2013-09-22 20:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-103.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-22 20:43:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robby 2013-09-01 13:21:56 EDT
Description of problem:
SELinux policy prevents systemd service strongswan.service from starting up, whereas running '/usr/sbin/strongswan start --nofork' manually does work fine.

Version-Release number of selected component (if applicable):
3.11.1-100

How reproducible:
Always

Steps to reproduce:
1. yum install strongswan
2. set up the strongswan configuration, etc
3. systemctl start strongswan.service

Actual results:
Fails to start with these messages in the audit log:
type=AVC msg=audit(1378053671.755:1425): avc:  denied  { unlink } for  pid=6597 comm="starter" name="charon.ctl" dev="tmpfs" ino=47153 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1378053671.757:1426): avc:  denied  { execute_no_trans } for  pid=6606 comm="starter" path="/usr/libexec/strongswan/charon" dev="xvda2" ino=416998 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file

Expected results:
It should just work through systemctl with no denials.

Additional info:
I tried 'fixfiles -R strongswan restore' but it did not help.
I proceeded to create a semodule after which the denials were of course gone.
FYI, the output of the generated .te file is:
module strongswan 1.0;

require {
        type ipsec_t;
        type var_run_t;
        type ipsec_exec_t;
        class sock_file unlink;
        class file execute_no_trans;
}

#============= ipsec_t ==============
allow ipsec_t ipsec_exec_t:file execute_no_trans;
allow ipsec_t var_run_t:sock_file unlink;
Comment 3 Fedora Update System 2013-09-10 07:16:29 EDT
selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18
Comment 4 Fedora Update System 2013-09-10 21:57:07 EDT
Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16344/selinux-policy-3.11.1-103.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-09-22 20:43:12 EDT
selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.