openswan fails all basic operations with SElinux enabled Description of problem: Version-Release number of selected component (if applicable): openswan-2.4.5-2.1 kernel-xen-2.6.18-1.2726.fc6 How reproducible: Not tried, but since I know what's happening, I'm sure it always happens. Steps to Reproduce: 1. yum install openswan 2. run ipsec --version 3. or: create any IPsec tunnel config and watch the SElinux log messages Actual results: audit(1160023246.202:20): avc: denied { read } for pid=15958 comm="ipsec" name="ipsec_version" dev=proc ino=-268433719 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file Expected results: Selinux not interfering with core operations. Openswan will need access to some basic networking commands, such as "ip", "route", "netstat", "ifconfig". This is clearly not working at all, as openswan is denied these commands. Additional info: Allow openswan access to the full kernel networking and ipsec stack. If this is not done, people will just have to fully disable SElinux to get openswan to work for basic IPsec tunnels.
*** This bug has been marked as a duplicate of 204671 ***
Paul, do you have patches for selinux?
No we do don't. No one has contacted us requesting this feature to work on. We have not done any work on SElinux, so this would be a major project for us to undertake. I am not sure what "labeled networking" is, that is seen as the cause for this bug. I assume that it would fix the use of ip/route/ifconfig etc. but that it wouldn't fix the current reading in /proc (eg for ipsec --version)