On 08/19/2009 07:01 AM, Daniel Fazekas wrote: > On Aug 18, 2009, at 19:30, Daniel J Walsh wrote: > >> I can add a tunable to allow racoon to read shadow, although I would >> like to see it use pam if a port is available. > > I too would prefer PAM, unfortunately Fedora 11's copy of racoon is > built without --with-libpam. > There already a BZ about it from November 2008: > https://bugzilla.redhat.com/show_bug.cgi?id=470793 > >> I will also add the ability to transition from racoon to setkey_t, but >> I would prefer if you put your temporary files in /var/racoon or >> /var/run/pluto or /var/run/racoon. >> System Services should NEVER use /tmp for creation of interaction with >> files. Users live there and users is evil :^) > > Turns out that was simple enough. > > I just added > TMPDIR="/var/racoon" > to the start of the bash shell script, and now bash doesn't try putting > its stuff into /tmp. > What's even better is that this already seems to be allowed by the > current policy. > > So the whole extra myracoon module could be simplified as: > > --------- > policy_module(myracoon, 0.0.5) > require { type racoon_t, setkey_exec_t; } > > auth_read_shadow(racoon_t) > can_exec(racoon_t, setkey_exec_t) > fs_dontaudit_getattr_xattr_fs(racoon_t) > --------- > > Are these reasonable to add to the official policy one day? > Yes -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
