Red Hat Bugzilla – Bug 602350
SELinux is preventing /usr/libexec/nm-openswan-service "execute" access on /usr/sbin/ipsec.
Last modified: 2012-10-15 10:02:51 EDT
WHen trying locally build NetworkManager-openswan-0.8.0-2.0.MC.git20100411.2.el6.x86_64 openswan-2.6.25-2.el6.x86_64 Souhrn: SELinux is preventing /usr/libexec/nm-openswan-service "execute" access on /usr/sbin/ipsec. Podrobný popis: SELinux denied access requested by nm-openswan-ser. It is not expected that this access is required by nm-openswan-ser and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje system_u:system_r:NetworkManager_t:s0 Kontext cíle system_u:object_r:ipsec_mgmt_exec_t:s0 Objekty cíle /usr/sbin/ipsec [ file ] Zdroj nm-openswan-ser Cesta zdroje /usr/libexec/nm-openswan-service Port <Neznámé> Počítač (removed) RPM balíčky zdroje NetworkManager- openswan-0.8.0-2.0.MC.git20100411.2.el6 RPM balíčky cíle openswan-2.6.25-2.el6 RPM politiky selinux-policy-3.7.19-23.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.32-33.el6.x86_64 #1 SMP Thu Jun 3 13:00:03 EDT 2010 x86_64 x86_64 Počet upozornění 2 Poprvé viděno St 9. červen 2010, 18:48:51 CEST Naposledy viděno St 9. červen 2010, 18:49:24 CEST Místní ID 92db2c80-711a-4739-bd8e-83fe96c3b6be Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1276102164.678:102): avc: denied { execute } for pid=23042 comm="nm-openswan-ser" name="ipsec" dev=dm-1 ino=526777 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1276102164.678:102): arch=c000003e syscall=59 success=no exit=-13 a0=402f05 a1=2257510 a2=7fffcbdc3bf8 a3=7fffcbdc2d70 items=0 ppid=1 pid=23042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-openswan-ser" exe="/usr/libexec/nm-openswan-service" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash String generated from catchall,nm-openswan-ser,NetworkManager_t,ipsec_mgmt_exec_t,file,execute audit2allow suggests: #============= NetworkManager_t ============== allow NetworkManager_t ipsec_mgmt_exec_t:file execute;
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
What file is labeled ipsec_mgmt_exec_t? /usr/libexec/nm-openswan-service DOes not exist in Fedora?
I think this might be fixed in the current RHEL6 or there is another bug on it. Rawhide has this label /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) And a transition between NetworkManager_t and ipsec_mgmt_t
Yes, it was added to selinux-policy-3.7.19-26.el6
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.