Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 538503

Summary: MLS selinux-policy: setkey executed from initrc_t from if{up,down}-ipsec fails to set policies
Product: Red Hat Enterprise Linux 5 Reporter: RHEL Program Management <pm-rhel>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: urgent    
Version: 5.3CC: dwalsh, ebenes, herrold, jplans, mgrepl, notting, ohudlick, pm-eus, shaines, syeghiay, thoger, tmraz
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-07 09:02:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 515687    
Bug Blocks:    

Description RHEL Program Management 2009-11-18 17:44:19 UTC 
This bug has been copied from bug #515687 and has been proposed
to be backported to 5.4 z-stream (EUS).
Comment 4 Miroslav Grepl 2009-12-02 18:01:30 UTC 
Fixed in selinux-policy-2.4.6-255.el5_4.2.noarch
Comment 6 Eduard Benes 2009-12-10 16:24:28 UTC 
Following denial still blocks the expected functionality, and is shown only
after
rebuild with "semodule -DB":

#============= setkey_t ==============
allow setkey_t sysadm_tmp_t:file { read getattr };


After adding custom policy module as follows make it work again:

# cat my.te 
policy_module(mypol,1.0.0)
require{
 type setkey_t; 
 type sysadm_tmp_t; 

}
allow setkey_t sysadm_tmp_t:file { read getattr };
# make -f /usr/share/selinux/devel/Makefile
Comment 7 Eduard Benes 2009-12-11 14:22:26 UTC 
Everything seems to work if I use this:

# cat my.if my.te -n
     1	interface(`userdom_read_sysadm_tmp_files',`
     2	  gen_require(`
     3	    type sysadm_tmp_t;
     4	  ')
     5	  allow $1 sysadm_tmp_t:file { read getattr };
     6	')
     7	

     8	policy_module(mysetkey,1.0.0)
     9	
    10	gen_require(`
    11	  type setkey_t;
    12	')
    13	
    14	userdom_read_sysadm_tmp_files(setkey_t);
Comment 8 Miroslav Grepl 2009-12-16 11:53:22 UTC 
Fixed in selinux-policy-2.4.6-255.el5_4.3.noarch
Comment 11 errata-xmlrpc 2010-01-07 09:02:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0013.html