Bug 386391 - SELinux is preventing racoon (racoon_t) "name_bind" to (ipsecnat_port_t).
SELinux is preventing racoon (racoon_t) "name_bind" to (ipsecnat_port_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-16 02:22 EST by James Davidson
Modified: 2008-01-30 14:20 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:20:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Davidson 2007-11-16 02:22:29 EST
Detailed Description
SELinux denied access requested by racoon. It is not expected that this access
is required by racoon and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Additional Information
Source Context:  system_u:system_r:racoon_t:s0
Target Context:  system_u:object_r:ipsecnat_port_t:s0
Target Objects:  None [ udp_socket ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-53.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  aragorn.localdomain
Platform:  Linux aragorn.localdomain 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09
EST 2007 x86_64 x86_64
Alert Count:  3
First Seen:  Thu 15 Nov 2007 09:47:53 PM PST
Last Seen:  Thu 15 Nov 2007 10:59:01 PM PST
Local ID:  437cf221-fedf-4601-a5b9-3e378b4cb8fc
Line Numbers:  

Raw Audit Messages :
avc: denied { name_bind } for comm=racoon pid=4845
scontext=system_u:system_r:racoon_t:s0 src=4500 tclass=udp_socket
tcontext=system_u:object_r:ipsecnat_port_t:s0
Comment 1 Daniel Walsh 2007-11-16 09:56:04 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-57.fc8
Comment 2 Aurelien Bompard 2007-12-04 13:29:59 EST
I still have this problem with selinux-policy-targeted-3.0.8-62.fc8
Comment 3 Aurelien Bompard 2007-12-04 13:31:16 EST
On top of that, racoon is not allowed to write its pid file. I had to add the
following policy module :

module racoonipsecnat 1.0;

require {
        type ipsecnat_port_t;
        type racoon_t;
        type var_run_t;
        class udp_socket name_bind;
        class file { read write };
}

#============= racoon_t ==============
allow racoon_t ipsecnat_port_t:udp_socket name_bind;
allow racoon_t var_run_t:file write;
Comment 4 Daniel Walsh 2007-12-05 10:25:35 EST
You are right.  There is a bug in the policy and we need a label for
/var/run/racoon.pid

selinux-policy-targeted-3.0.8-65.fc8

chcon -t ipsec_var_run_t /var/run/racoon.pid

Should eliminate the need for the second rule.
Comment 5 Daniel Walsh 2008-01-30 14:20:26 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.