Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-255.el5 selinux-policy-strict-2.4.6-255.el5 selinux-policy-devel-2.4.6-255.el5 selinux-policy-2.4.6-255.el5 selinux-policy-targeted-2.4.6-255.el5 ipsec-tools-0.6.5-13.el5_3.1 How reproducible: always Steps to Reproduce: # setenforce 1 # racoon -v # ps ax | grep -i racoon 9436 ? Ss 0:00 racoon -v 9445 ttySG0 S+ 0:00 grep -i racoon # matchpathcon /var/racoon /var/racoon system_u:object_r:ipsec_var_run_t # matchpathcon /var/racoon/racoon.sock /var/racoon/racoon.sock system_u:object_r:ipsec_var_run_t # restorecon -Rv /var/racoon # racoonctl show-sa ipsec send: Bad file descriptor # ausearch -m AVC -ts recent ---- time->Tue Dec 8 05:35:38 2009 type=SYSCALL msg=audit(1260268538.518:102): arch=c0000032 syscall=1192 success=yes exit=0 a0=3 a1=60000fffff91394a a2=6e a3=40000000000215d8 items=0 ppid=9110 pid=9442 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttySG0 ses=5 comm="racoonctl" exe="/usr/sbin/racoonctl" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1260268538.518:102): avc: denied { connectto } for pid=9442 comm="racoonctl" path="/var/racoon/racoon.sock" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:system_r:racoon_t:s0-s0:c0.c1023 tclass=unix_stream_socket # setenforce 0 # racoonctl show-sa ipsec No SAD entries. # Actual results: AVC Expected results: no AVCs
I added ######################################## ## <summary> ## Connect to racoon using a unix domain stream socket. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`ipsec_stream_connect_racoon',` gen_require(` type racoon_t, ipsec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) ') ipsec_stream_connect_racoon(sysadm_t) To F12.
Fixed in selinux-policy-2.4.6-266.el5.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html