Bug 466861 - avc: denied { write } for pid=2193 comm="ip" path="/var/run/pluto/ipsec_setup.out"
avc: denied { write } for pid=2193 comm="ip" path="/var/run/pluto/ipsec_se...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Avesh Agarwal
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-14 03:39 EDT by Alexander Todorov
Modified: 2009-09-02 07:19 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Openswan did not close file decriptors on exec. The resulting file descriptor leaks would then cause AVC denial warnings on systems set to enforce SELinux policy. Openswan now closes file descriptors on exec, both for sockets that it has opened and for sockets that it has accepted. Because Openswan does not now leak these file descriptors, the corresponding AVC denial warnings do not appear.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:19:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2008-10-14 03:39:15 EDT
Description of problem:
type=AVC msg=audit(1223411506.220:7): avc:  denied  { write } for  pid=2193 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=46468240 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(1223411508.536:8): avc:  denied  { write } for  pid=2358 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=46468240 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(1223411508.536:8): avc:  denied  { write } for  pid=2358 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=46468240 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(1223411508.540:9): avc:  denied  { write } for  pid=2359 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=46468240 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file
type=AVC msg=audit(1223411508.540:9): avc:  denied  { write } for  pid=2359 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=46468240 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=file



Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-162.el5

How reproducible:
always

Steps to Reproduce:
1. @everything install
Comment 2 Daniel Walsh 2008-10-15 10:38:00 EDT
This is either a leaked file descriptor in ipsec or stdout of the ifconfig command is being redirected to /var/run/pluto/ipsec_setup.out

If this is a leaked file descriptor ipsec/racoon should be closing the file descriptor before exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

If it is a redirection, we will need to update the policy package.

Changing package to ipsec-tools, change it back if this is the correct behaviour.
Comment 3 Alexander Todorov 2008-10-22 02:33:37 EDT
Avesh,
can you confirm comment #2 or move back to selinux-policy component?
Comment 11 Ruediger Landmann 2009-05-17 21:01:20 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Openswan did not close file decriptors on exec. The resulting file descriptor leaks would then cause AVC denial warnings on systems set to enforce SELinux policy. Openswan now closes file descriptors on exec, both for sockets that it has opened and for sockets that it has accepted. Because Openswan does not now leak these file descriptors, the corresponding AVC denial warnings do not appear.
Comment 13 Alexander Todorov 2009-06-12 10:46:27 EDT
This one looks like what I'm seeing here:
https://bugzilla.redhat.com/show_bug.cgi?id=443646#c16

not sure if they are duplicates or openswan has way too many issues with SELinux.
Comment 14 Alexander Todorov 2009-06-12 10:49:23 EDT
Ohh, seeing this one as well:

type=AVC msg=audit(1244812506.720:70): avc:  denied  { getattr } for  pid=5398 comm="_realsetup" path="/sbin/lsmod" dev=dm-0 ino=14450764 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1244812506.720:70): arch=c0000032 syscall=1210 success=no exit=-13 a0=600000000003f810 a1=60000fffffa22d30 a2=40000000000f6b90 a3=c00000000000040a items=0 ppid=5384 pid=5398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="_realsetup" exe="/bin/bash" subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1244812506.728:71): avc:  denied  { getattr } for  pid=5400 comm="_realsetup" path="/sbin/lsmod" dev=dm-0 ino=14450764 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
Comment 15 Daniel Walsh 2009-06-12 11:40:09 EDT
This avc should be allowed with the RHEL5.4 policy
Comment 18 errata-xmlrpc 2009-09-02 07:19:27 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.