Bug 545369 - strict policy blocks 'racoonctl show-sa ipsec' in enforcing mode
Summary: strict policy blocks 'racoonctl show-sa ipsec' in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-strict
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-08 10:42 UTC by Milos Malik
Modified: 2012-10-15 14:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:49:48 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Milos Malik 2009-12-08 10:42:15 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-255.el5
selinux-policy-strict-2.4.6-255.el5
selinux-policy-devel-2.4.6-255.el5
selinux-policy-2.4.6-255.el5
selinux-policy-targeted-2.4.6-255.el5
ipsec-tools-0.6.5-13.el5_3.1

How reproducible:
always

Steps to Reproduce:
# setenforce 1
# racoon -v
# ps ax | grep -i racoon
 9436 ?        Ss     0:00 racoon -v
 9445 ttySG0   S+     0:00 grep -i racoon
# matchpathcon /var/racoon
/var/racoon	system_u:object_r:ipsec_var_run_t
# matchpathcon /var/racoon/racoon.sock 
/var/racoon/racoon.sock	system_u:object_r:ipsec_var_run_t
# restorecon -Rv /var/racoon
# racoonctl show-sa ipsec
send: Bad file descriptor
# ausearch -m AVC -ts recent
----
time->Tue Dec  8 05:35:38 2009
type=SYSCALL msg=audit(1260268538.518:102): arch=c0000032 syscall=1192 success=yes exit=0 a0=3 a1=60000fffff91394a a2=6e a3=40000000000215d8 items=0 ppid=9110 pid=9442 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttySG0 ses=5 comm="racoonctl" exe="/usr/sbin/racoonctl" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1260268538.518:102): avc:  denied  { connectto } for  pid=9442 comm="racoonctl" path="/var/racoon/racoon.sock" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:system_r:racoon_t:s0-s0:c0.c1023 tclass=unix_stream_socket
# setenforce 0
# racoonctl show-sa ipsec
No SAD entries.
# 

Actual results:
AVC

Expected results:
no AVCs

Comment 1 Daniel Walsh 2009-12-09 13:32:42 UTC
I added
########################################
## <summary>
##	Connect to racoon using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`ipsec_stream_connect_racoon',`
	gen_require(`
		type racoon_t, ipsec_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
')

ipsec_stream_connect_racoon(sysadm_t)


To F12.

Comment 3 Miroslav Grepl 2009-12-11 11:24:04 UTC
Fixed in selinux-policy-2.4.6-266.el5.noarch

Comment 7 errata-xmlrpc 2010-03-30 07:49:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.