On Wed, 2009-08-19 at 13:01 +0200, Daniel Fazekas wrote: > On Aug 18, 2009, at 19:30, Daniel J Walsh wrote: > > > I can add a tunable to allow racoon to read shadow, although I would > > like to see it use pam if a port is available. > > I too would prefer PAM, unfortunately Fedora 11's copy of racoon is > built without --with-libpam. > There already a BZ about it from November 2008: > https://bugzilla.redhat.com/show_bug.cgi?id=470793 > > > I will also add the ability to transition from racoon to setkey_t, > > but I would prefer if you put your temporary files in /var/racoon > > or /var/run/pluto or /var/run/racoon. > > System Services should NEVER use /tmp for creation of interaction > > with files. Users live there and users is evil :^) > > Turns out that was simple enough. > > I just added > TMPDIR="/var/racoon" > to the start of the bash shell script, and now bash doesn't try > putting its stuff into /tmp. > What's even better is that this already seems to be allowed by the > current policy. I've added the TMPDIR setting to the ipsec-tools-0.7.3-2.fc12 package - you can get it from koji or from rawhide mirrors later. > So the whole extra myracoon module could be simplified as: > > --------- > policy_module(myracoon, 0.0.5) > require { type racoon_t, setkey_exec_t; } > > auth_read_shadow(racoon_t) > can_exec(racoon_t, setkey_exec_t) > fs_dontaudit_getattr_xattr_fs(racoon_t) > --------- > > Are these reasonable to add to the official policy one day? I've also added --with-libpam to the build and added some initial racoon PAM configuration. Can you please test xauth against pam instead of shadow? I still suppose some selinux-policy adjustments will be necessary. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
