Bug 689960 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit
openswan debugging facility which allows coredumps in case of problems is bro...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-22 17:17 EDT by Tuomo Soini
Modified: 2011-07-21 07:56 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-304.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 689953
Environment:
Last Closed: 2011-07-21 05:19:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tuomo Soini 2011-03-22 17:17:25 EDT
+++ This bug was initially created as a clone of Bug #689953 +++

Description of problem:

openswan has facility to enable coredumps by adding config variable dumpdir= in config setup section. Selinux prevents this but doesn't give AVC denial about the issue.

How reproducible:

Always

avc generated with semodule -DB

type=AVC msg=audit(1300825551.591:24204): avc:  denied  { rlimitinh } for  pid=31204 comm="sh" scontext=user_u:system_r:ipsec_t:s0 tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=process

This need to be allowed so that openswan startup can enable coredumps.

--- Additional comment from dwalsh@redhat.com on 2011-03-22 16:52:43 EDT ---

We should allow this.
Comment 1 Tuomo Soini 2011-03-22 17:57:37 EDT
# startup scripts of pluto need to be able to set ulimit -c unlimited
allow ipsec_t ipsec_mgmt_t:process rlimitinh;
Comment 2 Miroslav Grepl 2011-03-29 04:17:59 EDT
I will add it.
Comment 4 Miroslav Grepl 2011-04-05 10:38:28 EDT
Fixed in selinux-policy-2.4.6-304.el5
Comment 7 errata-xmlrpc 2011-07-21 05:19:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 8 errata-xmlrpc 2011-07-21 07:56:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.