On 05/20/2013 01:45 PM, Dominick Grift wrote:
On Mon, 2013-05-20 at 12:36 +0300, Manuel Wolfshant wrote:
On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
Hello
I am using CentOS 6.4 and I want to store the logs from openswan
into a different file ( /var/log/ipsec ) than the default. For this
purpose I added
plutostderrlog=/var/log/ipsec
to ipsec.conf.
As long as I keep the server in permissive mode, openswan starts
OK. If, however, I switch to enforcing, the daemon refuses to start
with the following error message displayed in the console:
ipsec_setup: Starting Openswan IPsec
U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
ipsec_setup: Cannot write to "/var/log/ipsec".
The audit log does not record anything useful so I tried to switch
dontaudit to off and see if anything useful comes out. After running
audit2allow and a bit of trial and error I came out with the following
custom policy :
module myipsec 1.0;
require {
type ipsec_t;
Sorry, this line is:
type ipsec_mgmt_t;
type var_log_t;
class file { write ioctl getattr append };
}
#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t var_log_t:file write;
The above policy worked for me but I am wondering if it is OK (I
am mostly confused by the fact that the class includes " write ioctl
getattr append " but the rule has only "write" ). And, assuming it is
OK can this custom policy ( or the corrected one if needed ) be
included in the default policy ?
TIA
manuel
This particular solution is a bad idea:
I did have some doubts, hence my question :)
First lets see what ipsec types are available:
# seinfo -t | grep ipsec
ipsecnat_port_t
ipsec_t
ipsec_initrc_exec_t
ipsec_mgmt_t
ipsec_log_t
ipsecnat_client_packet_t
ipsec_var_run_t
ipsec_key_file_t
ipsec_mgmt_var_run_t
ipsec_conf_file_t
ipsecnat_server_packet_t
ipsec_exec_t
ipsec_mgmt_exec_t
ipsec_mgmt_lock_t
ipsec_spd_t
ipsec_tmp_t
The policy is (mostly) written with self-documentation in mind, in this
case meaning that the name of the type describes it functionality
As you can see, on my system it lists ipsec_log_t. I assume that this is
a type for ipsec log files.
Now were going to use the sesearch command to see hope ipsec_mgmt_t can
operate on ipsec_log_t files:
# sesearch --allow -s ipsec_mgmt_t -t ipsec_log_t | grep " ipsec_log_t "
allow ipsec_mgmt_t ipsec_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow ipsec_mgmt_t ipsec_log_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
So ipsec_mgmt_t is allowed pretty much full access to ipsec_log_t files,
it is also allowed pretty much manage content in ipsec_log_t type
directories.
So the solution is to label your new log location with the ipsec_log_t
type.
But lets look at the stock location of the ipsec log file (s)
semanage fcontext -l | grep ipsec_log_t
/var/log/pluto\.log regular file system_u:object_r:ipsec_log_t:s0
So theres some things to consider here:
Did you create /var/log/ipsec file manually?
How are you dealing with log rotation?
But i will make some assumptions (that you have create /var/log/ipsec
for ipsec manually)
Likely solution is to:
semanage fcontext -a -t ipsec_log_t "/var/log/ipsec.*"
restorecon -v /var/log/ipsec
This solution is much cleaner because this enables you that you do not
have to allow ipsec_mgmt_t to "write" generic log content.
[...]
So label you ipsec log file ipsec_log_t like the example above and you
should be set.
And yes I was set. Thank you a lot. Much cleaner, indeed.
M.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
