1003288 – SELinux prevents systemd strongswan.service from auto starting

Bug 1003288 - SELinux prevents systemd strongswan.service from auto starting

Summary: SELinux prevents systemd strongswan.service from auto starting

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	i686
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-01 17:21 UTC by Robby
Modified:	2013-09-23 00:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.11.1-103.fc18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-23 00:43:12 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robby 2013-09-01 17:21:56 UTC

Description of problem:
SELinux policy prevents systemd service strongswan.service from starting up, whereas running '/usr/sbin/strongswan start --nofork' manually does work fine.

Version-Release number of selected component (if applicable):
3.11.1-100

How reproducible:
Always

Steps to reproduce:
1. yum install strongswan
2. set up the strongswan configuration, etc
3. systemctl start strongswan.service

Actual results:
Fails to start with these messages in the audit log:
type=AVC msg=audit(1378053671.755:1425): avc:  denied  { unlink } for  pid=6597 comm="starter" name="charon.ctl" dev="tmpfs" ino=47153 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1378053671.757:1426): avc:  denied  { execute_no_trans } for  pid=6606 comm="starter" path="/usr/libexec/strongswan/charon" dev="xvda2" ino=416998 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file

Expected results:
It should just work through systemctl with no denials.

Additional info:
I tried 'fixfiles -R strongswan restore' but it did not help.
I proceeded to create a semodule after which the denials were of course gone.
FYI, the output of the generated .te file is:
module strongswan 1.0;

require {
        type ipsec_t;
        type var_run_t;
        type ipsec_exec_t;
        class sock_file unlink;
        class file execute_no_trans;
}

#============= ipsec_t ==============
allow ipsec_t ipsec_exec_t:file execute_no_trans;
allow ipsec_t var_run_t:sock_file unlink;

Comment 3 Fedora Update System 2013-09-10 11:16:29 UTC

selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18

Comment 4 Fedora Update System 2013-09-11 01:57:07 UTC

Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16344/selinux-policy-3.11.1-103.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-09-23 00:43:12 UTC

selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.