Bug 481710 - Openswan SElinux denials
Openswan SElinux denials
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: openwsman (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: srinivas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-27 05:04 EST by Robert Brady
Modified: 2009-07-14 12:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-14 12:30:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Brady 2009-01-27 05:04:17 EST
Description of problem:
SElinux denials when running #service ipsec start


Version-Release number of selected component (if applicable):
[root@sun ~]# ipsec --version
Linux Openswan U2.6.19/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.

[root@sun ~]# yum list openswan
Loaded plugins: refresh-packagekit
Installed Packages
openswan.i386                                                          2.6.19-1.fc9     installed

How reproducible: always
  
Actual results: from /var/log/messages
Jan 27 06:26:05 sun ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.9-73.fc9.i686...
Jan 27 06:26:06 sun setroubleshoot: SELinux is preventing logger (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages. run sealert -l 4b8243dc-7f59-40e6-af12-0eec143c0acb
Jan 27 06:26:06 sun pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 27 06:26:06 sun setroubleshoot: SELinux is preventing logger (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages. run sealert -l 4b8243dc-7f59-40e6-af12-0eec143c0acb
Jan 27 06:26:06 sun setroubleshoot: SELinux is preventing logger (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages. run sealert -l 4b8243dc-7f59-40e6-af12-0eec143c0acb
Jan 27 06:26:06 sun setroubleshoot: SELinux is preventing logger (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages. run sealert -l 4b8243dc-7f59-40e6-af12-0eec143c0acb
Jan 27 06:26:07 sun setroubleshoot: SELinux is preventing auto (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For complete SELinux messages. run sealert -l 45f74970-ceaa-4d3b-b36d-de54c66abee3
Jan 27 06:26:07 sun setroubleshoot: SELinux is preventing logger (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages. run sealert -l 4b8243dc-7f59-40e6-af12-0eec143c0acb
Jan 27 06:26:07 sun setroubleshoot: SELinux is preventing the lwdnsq from using potentially mislabeled files (./tmp). For complete SELinux messages. run sealert -l b95f4a9e-3ebe-4e49-9126-36a04b549ad7
Jan 27 06:26:07 sun setroubleshoot: SELinux is preventing lwdnsq (ipsec_t) "ioctl" ipsec_t. For complete SELinux messages. run sealert -l 6c10423e-3f79-4678-a60e-bb34c05d6261




Expected results:


Additional info:
Comment 1 Joe Nall 2009-03-10 22:03:14 EDT
[root@fiona log]# grep ipsec audit/audit.log* | grep denied
audit/audit.log:type=AVC msg=audit(1236729171.744:5): avc:  denied  { create } for  pid=2550 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1235662140.142:5): avc:  denied  { create } for  pid=2473 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1235838798.322:5): avc:  denied  { create } for  pid=2483 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236556624.237:5): avc:  denied  { create } for  pid=2512 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236557705.065:5): avc:  denied  { create } for  pid=2520 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236562019.917:5): avc:  denied  { create } for  pid=2516 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236564100.537:5): avc:  denied  { create } for  pid=2546 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236565573.844:5): avc:  denied  { create } for  pid=2547 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.1:type=AVC msg=audit(1236607762.164:5): avc:  denied  { create } for  pid=2552 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234891415.043:16618): avc:  denied  { create } for  pid=14741 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234891576.327:16644): avc:  denied  { create } for  pid=15183 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234893334.424:16727): avc:  denied  { create } for  pid=15656 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.2:type=AVC msg=audit(1234894854.923:16841): avc:  denied  { create } for  pid=16184 comm="lwdnsq" name="lwdnsq.log" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.3:type=AVC msg=audit(1233461592.584:5): avc:  denied  { create } for  pid=2503 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
audit/audit.log.3:type=AVC msg=audit(1233965028.361:5): avc:  denied  { create } for  pid=2514 comm="lwdnsq" name="lwdnsq.log" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

[root@fiona log]# grep ipsec audit/audit.log* | grep denied | audit2allow 


#============= ipsec_t ==============
allow ipsec_t tmp_t:file create;

I think this is /usr/libexec/ipsec/lwdnsq trying to create a log. Not sure it makes sense.
Comment 2 Robert Brady 2009-03-11 04:05:04 EDT
[root@sun log]# tail  -n 500 audit/audit.log | grep ipsec 
[root@sun log]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.27.19-78.2.30.fc9.i686...
[root@sun log]# service ipsec status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!
[root@sun log]# tail  -n 500 audit/audit.log | grep ipsec 
type=AVC msg=audit(1236757425.419:23): avc:  denied  { sendto } for  pid=3792 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757425.419:23): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf949770 a2=d5eff4 a3=14 items=0 ppid=3791 pid=3792 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.783:24): avc:  denied  { sendto } for  pid=3960 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.783:24): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb42990 a2=d5eff4 a3=14 items=0 ppid=3958 pid=3960 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.787:25): avc:  denied  { sendto } for  pid=3967 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.787:25): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf8bdf10 a2=d5eff4 a3=14 items=0 ppid=3774 pid=3967 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757427.826:26): avc:  denied  { sendto } for  pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757427.826:26): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.510:27): avc:  denied  { name_bind } for  pid=3964 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1236757428.510:27): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfeea900 a2=3fb808 a3=10 items=0 ppid=3962 pid=3964 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1236757428.528:28): avc:  denied  { write } for  pid=4081 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757428.528:28): arch=40000003 syscall=5 success=no exit=-13 a0=9bf698 a1=442 a2=1b6 a3=440 items=0 ppid=3964 pid=4081 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1236757428.530:29): avc:  denied  { sendto } for  pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.530:29): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.533:30): avc:  denied  { sendto } for  pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.533:30): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757428.533:31): avc:  denied  { sendto } for  pid=3965 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757428.533:31): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa03840 a2=d5eff4 a3=84851b8 items=0 ppid=1 pid=3965 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.557:32): avc:  denied  { write } for  pid=4093 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757438.557:32): arch=40000003 syscall=33 success=no exit=-13 a0=964ef88 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4093 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.559:33): avc:  denied  { sendto } for  pid=4100 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757438.559:33): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc09a40 a2=d5eff4 a3=8dd91b8 items=0 ppid=4093 pid=4100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.566:34): avc:  denied  { write } for  pid=4101 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1236757438.566:34): arch=40000003 syscall=33 success=no exit=-13 a0=9138f98 a1=2 a2=d5eff4 a3=0 items=0 ppid=4087 pid=4101 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1236757438.567:35): avc:  denied  { sendto } for  pid=4108 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1236757438.567:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd1db60 a2=d5eff4 a3=9b0d1b8 items=0 ppid=4101 pid=4108 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
[root@sun log]# 

[root@sun log]# tail  -n 500 audit/audit.log | grep ipsec |audit2allow


#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t root_t:dir write;
allow ipsec_mgmt_t syslogd_t:unix_dgram_socket sendto;

#============= ipsec_t ==============
allow ipsec_t isakmp_port_t:udp_socket name_bind;
allow ipsec_t tmp_t:dir write;
[root@sun log]# 


Attempting to start ipsec generates these errors now

Summary:

SELinux is preventing logger (ipsec_mgmt_t) "sendto" syslogd_t.

Detailed Description:

SELinux denied access requested by logger. It is not expected that this access
is required by logger and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                system_u:system_r:syslogd_t:s0
Target Objects                /dev/log [ unix_dgram_socket ]
Source                        logger
Source Path                   /usr/bin/logger
Port                          <Unknown>
Host                          sun.nixtec.net
Source RPM Packages           util-linux-ng-2.13.1-8.3.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-125.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     sun.nixtec.net
Platform                      Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
                              SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count                   70
First Seen                    Tue 27 Jan 2009 06:37:45 PM EST
Last Seen                     Wed 11 Mar 2009 05:51:50 PM EST
Local ID                      320c8a9f-d7e6-4776-82c6-b7dbbfe4eb85
Line Numbers

Raw Audit Messages

node=sun.nixtec.net type=AVC msg=audit(1236757910.970:79): avc:  denied  { sendto } for  pid=5547 comm="logger" path="/dev/log" scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:79): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa9b8d0 a2=d5eff4 a3=91be1b8 items=0 ppid=5540 pid=5547 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="logger" exe="/usr/bin/logger" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)

SELinux is preventing setup (ipsec_mgmt_t) "write" to / (root_t). The SELinux
type root_t, is a generic type for all files in the directory and very few
processes (SELinux Domains) are allowed to write to this SELinux type. This type
of denial usual indicates a mislabeled file. By default a file created in a
directory has the gets the context of the parent directory, but SELinux policy
has rules about the creation of directories, that say if a process running in
one SELinux Domain (D1) creates a file in a directory with a particular SELinux
File Context (F1) the file gets a different File Context (F2). The policy
usually allows the SELinux Domain (D1) the ability to write, unlink, and append
on (F2). But if for some reason a file (/) was created with the wrong context,
this domain will be denied. The usual solution to this problem is to reset the
file context on the target file, restorecon -v '/'. If the file context does not
change from root_t, then this is probably a bug in policy. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy package. If it does change, you can try your application again to
see if it works. The file context could have been mislabeled by editing the file
or moving the file from a different directory, if the file keeps getting
mislabeled, check the init scripts to see if they are doing something to
mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v '/'

Fix Command:

restorecon '/'

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                system_u:object_r:root_t:s0
Target Objects                / [ dir ]
Source                        setup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          sun.nixtec.net
Source RPM Packages           bash-3.2-23.fc9
Target RPM Packages           filesystem-2.4.13-1.fc9
Policy RPM                    selinux-policy-3.3.1-125.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     sun.nixtec.net
Platform                      Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
                              SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count                   14
First Seen                    Tue 27 Jan 2009 06:37:57 PM EST
Last Seen                     Wed 11 Mar 2009 05:51:50 PM EST
Local ID                      3f7d36a7-dba6-4344-8e54-ce916648ec43
Line Numbers

Raw Audit Messages

node=sun.nixtec.net type=AVC msg=audit(1236757910.970:78): avc:  denied  { write } for  pid=5540 comm="setup" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

node=sun.nixtec.net type=SYSCALL msg=audit(1236757910.970:78): arch=40000003 syscall=33 success=no exit=-13 a0=9baaf98 a1=2 a2=d5eff4 a3=0 items=0 ppid=5526 pid=5540 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)

SELinux is preventing pluto (ipsec_t) "name_bind" isakmp_port_t.

Detailed Description:

SELinux denied access requested by pluto. It is not expected that this access is
required by pluto and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_t:s0
Target Context                system_u:object_r:isakmp_port_t:s0
Target Objects                None [ udp_socket ]
Source                        pluto
Source Path                   /usr/libexec/ipsec/pluto
Port                          500
Host                          sun.nixtec.net
Source RPM Packages           openswan-2.6.19-1.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-125.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     sun.nixtec.net
Platform                      Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
                              SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count                   7
First Seen                    Tue 27 Jan 2009 06:37:46 PM EST
Last Seen                     Wed 11 Mar 2009 05:51:39 PM EST
Local ID                      1d1ec829-d7b2-4da5-baa1-4ee7c7c3ecfc
Line Numbers

Raw Audit Messages

node=sun.nixtec.net type=AVC msg=audit(1236757899.930:72): avc:  denied  { name_bind } for  pid=5477 comm="pluto" src=500 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:isakmp_port_t:s0 tclass=udp_socket

node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:72): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfb5b820 a2=95b808 a3=10 items=0 ppid=5475 pid=5477 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)

SELinux is preventing the lwdnsq from using potentially mislabeled files
(./tmp).

Detailed Description:

SELinux has denied lwdnsq access to potentially mislabeled file(s) (./tmp). This
means that SELinux will not allow lwdnsq to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want lwdnsq to access this files, you need to relabel them using
restorecon -v './tmp'. You might want to relabel the entire directory using
restorecon -R -v './tmp'.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                ./tmp [ dir ]
Source                        lwdnsq
Source Path                   /usr/libexec/ipsec/lwdnsq
Port                          <Unknown>
Host                          sun.nixtec.net
Source RPM Packages           openswan-2.6.19-1.fc9
Target RPM Packages           filesystem-2.4.13-1.fc9
Policy RPM                    selinux-policy-3.3.1-125.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     sun.nixtec.net
Platform                      Linux sun.nixtec.net 2.6.27.19-78.2.30.fc9.i686 #1
                              SMP Tue Feb 24 20:09:23 EST 2009 i686 i686
Alert Count                   7
First Seen                    Tue 27 Jan 2009 06:37:46 PM EST
Last Seen                     Wed 11 Mar 2009 05:51:39 PM EST
Local ID                      73c1ec1b-496c-405d-992e-6e1ef0f9dffc
Line Numbers

Raw Audit Messages

node=sun.nixtec.net type=AVC msg=audit(1236757899.930:71): avc:  denied  { write } for  pid=5521 comm="lwdnsq" name="tmp" dev=dm-0 ino=8052756 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=sun.nixtec.net type=SYSCALL msg=audit(1236757899.930:71): arch=40000003 syscall=5 success=no exit=-13 a0=88a698 a1=442 a2=1b6 a3=440 items=0 ppid=5477 pid=5521 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lwdnsq" exe="/usr/libexec/ipsec/lwdnsq" subj=unconfined_u:system_r:ipsec_t:s0 key=(null)
Comment 3 Bug Zapper 2009-06-09 23:30:51 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Bug Zapper 2009-07-14 12:30:36 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.