+++ This bug was initially created as a clone of Bug #689953 +++ Description of problem: openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue. How reproducible: Always avc generated with semodule -DB type=AVC msg=audit(1300825551.591:24204): avc: denied { rlimitinh } for pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process This need to be allowed so that openswan startup can enable coredumps. --- Additional comment from dwalsh on 2011-03-22 16:52:43 EDT --- We should allow this.
# startup scripts of pluto need to be able to set ulimit -c unlimited allow ipsec_t ipsec_mgmt_t:process rlimitinh;
I will add it.
Fixed in selinux-policy-2.4.6-304.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html