452935 – AVC denials: pluto

Bug 452935 - AVC denials: pluto

Summary: AVC denials: pluto

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	9
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-26 02:54 UTC by Jerry James
Modified:	2008-10-22 15:55 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-10-22 15:55:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jerry James 2008-06-26 02:54:12 UTC

Description of problem:
I am suffering from bug #438046.  I usually remember to login to the console as
root and rmmod r8169 && modprobe r8169 before logging into gdm.  Tonight I
forgot.  I saw the NetworkManager symbol at the top of my screen, indicating
that it was trying to acquire a network address.  I switched to a console and
did the required voodoo.  When I switched back to my desktop, I had 3 AVC
denials waiting for me.  One has already been reported (bug #452351).  The other
two are pluto related.

AVC denial #1:
host=localhost.localdomain type=AVC msg=audit(1214447516.922:8): avc: denied {
write } for pid=2201 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0
ino=5931019 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1214447516.922:8): avc: denied {
write } for pid=2201 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0
ino=5931019 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1214447516.922:8):
arch=40000003 syscall=11 success=yes exit=0 a0=9a23d10 a1=9a22c18 a2=9a20620
a3=0 items=0 ppid=2037 pid=2201 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip"
subj=system_u:system_r:ifconfig_t:s0 key=(null) 

AVC denial #2:
host=localhost.localdomain type=AVC msg=audit(1214447517.787:9): avc: denied {
search } for pid=2213 comm="pluto" name="pluto" dev=dm-0 ino=5931032
scontext=system_u:system_r:ipsec_t:s0
tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1214447517.787:9):
arch=40000003 syscall=5 success=no exit=-13 a0=b80b4f60 a1=2c1 a2=124
a3=bfead2b0 items=0 ppid=2212 pid=2213 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto"
exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null) 

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-64.fc9.noarch

How reproducible:
I have not attempted to reproduce this bug.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
The AVC denials listed above.

Expected results:
No AVC denials.

Additional info:

Comment 1 Daniel Walsh 2008-06-26 11:52:08 UTC

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-72.fc9.noarch

Comment 2 Jerry James 2008-10-22 14:12:24 UTC

Go ahead and close this bug as fixed.  Thanks once again, Daniel.

Comment 3 Daniel Walsh 2008-10-22 15:55:18 UTC

If you verify it as fixed, feel free to close/currentrelease the bug.

Note You need to log in before you can comment on or make changes to this bug.