Bug 209397 - openswan fails all basic operations with SElinux enabled
openswan fails all basic operations with SElinux enabled
Status: CLOSED DUPLICATE of bug 204671
Product: Fedora
Classification: Fedora
Component: openswan (Show other bugs)
other Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
  Show dependency treegraph
Reported: 2006-10-05 00:45 EDT by Paul Wouters
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-05 04:08:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2006-10-05 00:45:43 EDT
openswan fails all basic operations with SElinux enabled

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:
Not tried, but since I know what's happening, I'm sure it always happens.

Steps to Reproduce:
1. yum install openswan
2. run ipsec --version
3. or: create any IPsec tunnel config and watch the SElinux log messages
Actual results:
audit(1160023246.202:20): avc:  denied  { read } for  pid=15958 comm="ipsec"
name="ipsec_version" dev=proc ino=-268433719
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file

Expected results:
Selinux not interfering with core operations. Openswan will need access to some
basic networking commands, such as "ip", "route", "netstat", "ifconfig".

This is clearly not working at all, as openswan is denied these commands.

Additional info:

Allow openswan access to the full kernel networking and ipsec stack. If this
is not done, people will just have to fully disable SElinux to get openswan
to work for basic IPsec tunnels.
Comment 1 Harald Hoyer 2006-10-05 04:08:59 EDT

*** This bug has been marked as a duplicate of 204671 ***
Comment 2 Harald Hoyer 2006-10-05 04:09:40 EDT
Paul, do you have patches for selinux?
Comment 3 Paul Wouters 2006-10-05 10:07:21 EDT
No we do don't. No one has contacted us requesting this feature to work on. We
have not done any work on SElinux, so this would be a major project for us to

I am not sure what "labeled networking" is, that is seen as the cause for this
bug. I assume that it would fix the use of ip/route/ifconfig etc. but that it
wouldn't fix the current reading in /proc (eg for ipsec --version)

Note You need to log in before you can comment on or make changes to this bug.