Re: SELinux and openswan

Paul Howarth <paul@xxxxxxxxxxxx> · Wed, 07 Jul 2010 09:35:08 +0100

On 07/07/10 09:10, Gerard Braad wrote:
> I have an issue when running SELinux in targeted mode with openswan on CentOS 5.
>
> On one node it works well, but another node fails with:
>
> /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot
> open shared object file: Permission denied
>
> when I try to do a 'service ipsec start'. with 'setenforce 0' the
> service starts.
>
> the output that ends up in my dmesg is:
>
> type=1400 audit(1278489551.987:60): avc:  denied  { search } for
> pid=1278 comm="ipsec" name="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
> and as permissive:
>
> type=1404 audit(1278489596.565:78): enforcing=0 old_enforcing=1
> auid=4294967295 ses=4294967295
> type=1400 audit(1278489600.661:79): avc:  denied  { search } for
> pid=1292 comm="ipsec" name="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> type=1400 audit(1278489600.661:80): avc:  denied  { getattr } for
> pid=1292 comm="ipsec" path="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> type=1400 audit(1278489600.681:81): avc:  denied  { read } for
> pid=1292 comm="addconn" name="libnspr4.so" dev=xvda ino=7696
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.681:82): avc:  denied  { getattr } for
> pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
> ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.681:83): avc:  denied  { execute } for
> pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
> ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.693:84): avc:  denied  { read } for
> pid=1295 comm="ipsec" name="sh" dev=xvda ino=25126
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
> type=1400 audit(1278489600.697:85): avc:  denied  { execute_no_trans }
> for  pid=1298 comm="_realsetup" path="/sbin/ip" dev=xvda ino=7805
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.701:86): avc:  denied  { create } for
> pid=1298 comm="ip" scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket

The target contexts in most of these denials are file_t, indicating a 
labelling problem. Has the system been run with SELinux in disabled mode 
for some time? I'd suggest relabelling and trying again.

Paul.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux