Re: racoon denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/17/2009 04:59 AM, Daniel Fazekas wrote:
> selinux-policy-3.6.12-72.fc11.noarch
> selinux-policy-targeted-3.6.12-72.fc11.noarch
> ipsec-tools-0.7.2-1.fc11.x86_64
> 
> I'm getting a handful of racoon denials with what I believe is a pretty
> common setup — is there anything I could be doing differently?
> 
> allow racoon_t shadow_t:file { read getattr open };
> 
> This is needed for racoon to do XAuth logins with the default
> auth_source of system. Unfortunately that's the only option available
> with racoon as supplied in Fedora 11, as support for pam/ldap/radius
> isn't built in.
> 
> 
> The rest is all caused by my having a phase1_up/down script in
> /etc/racoon/scripts (the directory and the script are both
> system_u:object_r:bin_t:s0).
> 
> allow racoon_t setkey_exec_t:file { read execute open execute_no_trans };
> allow racoon_t fs_t:filesystem getattr;
> allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
> allow racoon_t tmp_t:file { write getattr read create unlink open };
> 
> Calling /sbin/setkey to add and remove SPDs is the primary reason to
> have an up/down script.
> The fs_t and tmp_t accesses are less clear why they are necessary. It's
> a /bin/sh script which isn't doing anything other than calling
> /sbin/setkey.
> 
> type=AVC msg=audit(1250495868.674:27320): avc:  denied  { getattr } for 
> pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27321): avc:  denied  { write } for 
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27322): avc:  denied  { getattr } for 
> pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { search } for 
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { add_name }
> for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { create } for 
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { write open }
> for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.675:27324): avc:  denied  { getattr } for 
> pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27325): avc:  denied  { read } for 
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27326): avc:  denied  { remove_name }
> for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.676:27326): avc:  denied  { unlink } for 
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  { execute } for 
> pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  { read open }
> for  pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  {
> execute_no_trans } for  pid=5436 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  { execute } for 
> pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  { read open }
> for  pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  {
> execute_no_trans } for  pid=5533 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.293:27359): avc:  denied  { read } for 
> pid=5533 comm="setkey"
> path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429
> dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
I can add a tunable to allow racoon to read shadow, although I would like to see it use pam if a port is available.

I will also add the ability to transition from racoon to setkey_t, but I would prefer if you put your temporary files in /var/racoon or /var/run/pluto or /var/run/racoon.

System Services should NEVER use /tmp for creation of interaction with files.  Users live there and users is evil :^)

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux