Bug 689953 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit
Summary: openswan debugging facility which allows coredumps in case of problems is bro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-22 20:47 UTC by Tuomo Soini
Modified: 2012-10-16 11:19 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-80.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 689960 (view as bug list)
Environment:
Last Closed: 2011-05-19 12:26:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Tuomo Soini 2011-03-22 20:47:15 UTC
Description of problem:

openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue.

How reproducible:

Always

avc generated with semodule -DB

type=AVC msg=audit(1300825551.591:24204): avc:  denied  { rlimitinh } for  pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process

This need to be allowed so that openswan startup can enable coredumps.

Comment 1 Daniel Walsh 2011-03-22 20:52:43 UTC
We should allow this.

Comment 2 Tuomo Soini 2011-03-22 21:58:03 UTC
# startup scripts of pluto need to be able to set ulimit -c unlimited
allow ipsec_t ipsec_mgmt_t:process rlimitinh;

Comment 3 Miroslav Grepl 2011-03-25 12:56:08 UTC
Fixed in selinux-policy-3.7.19-80.el6

Comment 9 errata-xmlrpc 2011-05-19 12:26:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html


Note You need to log in before you can comment on or make changes to this bug.