689953 – openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit

Bug 689953 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit

Summary: openswan debugging facility which allows coredumps in case of problems is bro...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-22 20:47 UTC by Tuomo Soini
Modified:	2012-10-16 11:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-80.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	689960 (view as bug list)
Environment:
Last Closed:	2011-05-19 12:26:49 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Tuomo Soini 2011-03-22 20:47:15 UTC

Description of problem:

openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue.

How reproducible:

Always

avc generated with semodule -DB

type=AVC msg=audit(1300825551.591:24204): avc:  denied  { rlimitinh } for  pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process

This need to be allowed so that openswan startup can enable coredumps.

Comment 1 Daniel Walsh 2011-03-22 20:52:43 UTC

We should allow this.

Comment 2 Tuomo Soini 2011-03-22 21:58:03 UTC

# startup scripts of pluto need to be able to set ulimit -c unlimited
allow ipsec_t ipsec_mgmt_t:process rlimitinh;

Comment 3 Miroslav Grepl 2011-03-25 12:56:08 UTC

Fixed in selinux-policy-3.7.19-80.el6

Comment 9 errata-xmlrpc 2011-05-19 12:26:49 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.