Description of problem: If you switch selinux to enforcing mode and set "plutostderrlog=/var/log/pluto.log" you'll get a message: ipsec_setup: Cannot write to directory to create "/var/log/pluto.log". Version-Release number of selected component (if applicable): selinux-policy-2.4.6-255.el5_4.1.noarch openswan-2.6.21-5.el5_4.1.i386 How reproducible: always Steps to Reproduce: 1. install openswan 2. set variable "plutostderrlog=/var/log/pluto.log" to /etc/ipsec.conf 3. start ipsec by "service ipsec start" Actual results: ipsec writes: ipsec_setup: Cannot write to directory to create "/var/log/pluto.log". selinux messages: $ sesearch -s ipsec_mgmt_t --all | grep -i log allow ipsec_mgmt_t devlog_t : lnk_file read ; allow ipsec_mgmt_t devlog_t : sock_file { ioctl read write getattr lock append }; allow ipsec_mgmt_t syslogd_t : unix_stream_socket connectto ; allow ipsec_mgmt_t syslogd_t : unix_dgram_socket sendto ; $ cat /var/log//audit/audit.log | grep "pluto.log" type=AVC msg=audit(1257934981.359:9156): avc: denied { append } for pid=32623 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1257934981.360:9157): avc: denied { append } for pid=32623 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1258035524.222:16802): avc: denied { write } for pid=7435 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1258035590.005:16805): avc: denied { append } for pid=7588 comm="_plutorun" name="pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1258035590.005:16806): avc: denied { append } for pid=7588 comm="pluto" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1258035590.119:16807): avc: denied { append } for pid=7588 comm="pluto" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1258035590.134:16809): avc: denied { append } for pid=7633 comm="sh" path="/pluto.log" dev=sda2 ino=98307 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1258035632.436:16832): avc: denied { add_name } for pid=8058 comm="_plutorun" name="pluto.log" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1258035632.436:16832): avc: denied { create } for pid=8058 comm="_plutorun" name="pluto.log" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1258035632.436:16833): avc: denied { write } for pid=8058 comm="_plutorun" path="/var/log/pluto.log" dev=sda2 ino=12353816 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file Expected results: writing enabled Additional info: ipsec tries to write to log file but it is not allowed then it's probably redirected to /pluto.log with same result. If you switch off selinux by "setenforce 0" openswan will react correctly with "plutostderrlog" variable in /etc/ipsec.conf and logging will start as it is expected.
Could you try out the latest 5.5 policy. Preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Hi Daniel, of course i can but let me know please what package should i install from this list. Thanks!
Just grab the selinux-policy packages from the noarch directory.
Tested without any success. Same state has appeared.
Ok current policy does not have any coverage of log files in F12 or RHEL5. You can chcon -t ipsec_var_run_t /var/log/pluto.log And you should be able to run without any AVC messages, and get your log info.
Miroslav we need to add a ipsec_log_t to RHEL5 policy te file type ipsec_log_t; logging_log_file(ipsec_log_t) ... # log files manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) fc file /var/log/racoon\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
FYI: Same problem with RHEL6. I suppose you know about it.
Ales, If you update RHEL6 to the latest F12 Policy this should be fixed. This should happen before the beta.
Fixed in selinux-policy-2.4.6-265.el5.noarch
Daniel, i tried it on RHEL6 - same problem with log file. Tried with policy selinux-policy-2.4.6-264.el5 (package selinux-policy-3.6.32-24.el6.noarch (which is newer than selinux-policy-2.4.6-264.el5.noarch) is already installed). I don't know where could i get newer policy version 'http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/' contains only 264.
Tested on RHEL6 with selinux-policy-3.6.32-53.fc12.noarch and selinux-policy-targeted-3.6.32-53.fc12.noarch - work fine! But i still caught some AVCs... ---- time->Thu Dec 3 10:00:17 2009 type=SYSCALL msg=audit(1259852417.493:46363): arch=80000015 syscall=33 success=no exit=-13 a0=fff7b053930 a1=7 a2=fffcf3bd730 a3=fffffffffefefeff items=0 ppid=30954 pid=30955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4055 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1259852417.493:46363): avc: denied { write } for pid=30955 comm="pluto" name="tmp" dev=dm-0 ino=32770 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Thu Dec 3 10:00:17 2009 type=SYSCALL msg=audit(1259852417.563:46364): arch=80000015 syscall=54 success=no exit=-19 a0=14 a1=89f3 a2=fffcf3ba9b0 a3=4000 items=0 ppid=30954 pid=30955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4055 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=unconfined_u:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1259852417.563:46364): avc: denied { sys_module } for pid=30955 comm="pluto" capability=16 scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=capability
Ales, did you disable IPV6?
What is pluto trying to create in /tmp? It should be using /var/run
Daniel, IPv6 is on, but the connection is created through IPv4. Do I have to disable IPv6 - why? But the good question is: why does pluto try to write to /tmp - i don't know yet. Pinging Avesh...
Hi Ales, There is nothing much which changed between openswan-2.6.21-5.el5_4 and openswan-2.6.21-5.el5_4.1 RHEL5.4. I am wondering now why the avcs related to /tmp are showing up. I am looking into the Openswan code about it. Thanks and Regards Avesh
Ales there is another bug report open discussing the sys_module and /tmp access request.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html