|
On 05/20/2013 12:31 PM, Manuel
Wolfshant wrote:
Hello
I am using CentOS 6.4 and I want to store the logs from
openswan into a different file ( /var/log/ipsec ) than the
default. For this purpose I added
plutostderrlog=/var/log/ipsec
to ipsec.conf.
As long as I keep the server in permissive mode, openswan
starts OK. If, however, I switch to enforcing, the daemon refuses
to start with the following error message displayed in the
console:
ipsec_setup: Starting Openswan IPsec
U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
ipsec_setup: Cannot write to "/var/log/ipsec".
The audit log does not record anything useful so I tried to
switch dontaudit to off and see if anything useful comes out.
After running audit2allow and a bit of trial and error I came out
with the following custom policy :
module myipsec 1.0;
require {
type ipsec_t;
Sorry, this line is:
type ipsec_mgmt_t;
type var_log_t;
class file { write ioctl getattr append };
}
#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t var_log_t:file write;
The above policy worked for me but I am wondering if it is OK
(I am mostly confused by the fact that the class includes " write
ioctl getattr append " but the rule has only "write" ). And,
assuming it is OK can this custom policy ( or the corrected one if
needed ) be included in the default policy ?
TIA
manuel
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
