This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1003288 - SELinux prevents systemd strongswan.service from auto starting
SELinux prevents systemd strongswan.service from auto starting
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-09-01 13:21 EDT by Robby
Modified: 2013-09-22 20:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-103.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-22 20:43:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robby 2013-09-01 13:21:56 EDT
Description of problem:
SELinux policy prevents systemd service strongswan.service from starting up, whereas running '/usr/sbin/strongswan start --nofork' manually does work fine.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to reproduce:
1. yum install strongswan
2. set up the strongswan configuration, etc
3. systemctl start strongswan.service

Actual results:
Fails to start with these messages in the audit log:
type=AVC msg=audit(1378053671.755:1425): avc:  denied  { unlink } for  pid=6597 comm="starter" name="charon.ctl" dev="tmpfs" ino=47153 scontext=system_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1378053671.757:1426): avc:  denied  { execute_no_trans } for  pid=6606 comm="starter" path="/usr/libexec/strongswan/charon" dev="xvda2" ino=416998 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file

Expected results:
It should just work through systemctl with no denials.

Additional info:
I tried 'fixfiles -R strongswan restore' but it did not help.
I proceeded to create a semodule after which the denials were of course gone.
FYI, the output of the generated .te file is:
module strongswan 1.0;

require {
        type ipsec_t;
        type var_run_t;
        type ipsec_exec_t;
        class sock_file unlink;
        class file execute_no_trans;

#============= ipsec_t ==============
allow ipsec_t ipsec_exec_t:file execute_no_trans;
allow ipsec_t var_run_t:sock_file unlink;
Comment 3 Fedora Update System 2013-09-10 07:16:29 EDT
selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
Comment 4 Fedora Update System 2013-09-10 21:57:07 EDT
Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-09-22 20:43:12 EDT
selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.