Bug 689960 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit
Summary: openswan debugging facility which allows coredumps in case of problems is bro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-22 21:17 UTC by Tuomo Soini
Modified: 2017-05-22 14:28 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-304.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 689953
Environment:
Last Closed: 2011-07-21 09:19:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1069 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-07-21 09:18:27 UTC

Description Tuomo Soini 2011-03-22 21:17:25 UTC 
+++ This bug was initially created as a clone of Bug #689953 +++

Description of problem:

openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue.

How reproducible:

Always

avc generated with semodule -DB

type=AVC msg=audit(1300825551.591:24204): avc:  denied  { rlimitinh } for  pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process

This need to be allowed so that openswan startup can enable coredumps.

--- Additional comment from dwalsh on 2011-03-22 16:52:43 EDT ---

We should allow this.
Comment 1 Tuomo Soini 2011-03-22 21:57:37 UTC 
# startup scripts of pluto need to be able to set ulimit -c unlimited
allow ipsec_t ipsec_mgmt_t:process rlimitinh;
Comment 2 Miroslav Grepl 2011-03-29 08:17:59 UTC 
I will add it.
Comment 4 Miroslav Grepl 2011-04-05 14:38:28 UTC 
Fixed in selinux-policy-2.4.6-304.el5
Comment 7 errata-xmlrpc 2011-07-21 09:19:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 8 errata-xmlrpc 2011-07-21 11:56:12 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Note You need to log in before you can comment on or make changes to this bug.