Re: openswan start denied by selinux if a custom log file is used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
Hello

    I am using CentOS 6.4 and I want to store the logs from openswan into a different file ( /var/log/ipsec ) than the default. For this purpose I added
plutostderrlog=/var/log/ipsec
to ipsec.conf.
    As long as I keep the server in permissive mode, openswan starts OK. If, however, I switch to enforcing, the daemon refuses to start with the following error message displayed in the console:
ipsec_setup: Starting Openswan IPsec U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
ipsec_setup: Cannot write to "/var/log/ipsec".
    The audit log does not record anything useful so I tried to switch dontaudit to off and see if anything useful comes out. After running audit2allow and a bit of trial and error I came out with the following custom policy :
module myipsec 1.0;

require {
        type ipsec_t;
Sorry, this line is:

                type ipsec_mgmt_t;


        type var_log_t;
        class file { write ioctl getattr append };
}

#============= ipsec_mgmt_t ==============

allow ipsec_mgmt_t var_log_t:file write;


    The above policy worked for me but I am wondering if it is OK (I am mostly confused by the fact that the class includes " write ioctl getattr append " but the rule has only "write" ). And, assuming it is OK can this custom policy ( or the corrected one if needed ) be included in the default policy ?

    TIA

        manuel

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux