Re: openswan start denied by selinux if a custom log file is used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/20/2013 07:03 AM, Manuel Wolfshant wrote:
> On 05/20/2013 01:45 PM, Dominick Grift wrote:
>> On Mon, 2013-05-20 at 12:36 +0300, Manuel Wolfshant wrote:
>>> On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
>>>> Hello
>>>> 
>>>> I am using CentOS 6.4 and I want to store the logs from openswan into
>>>> a different file ( /var/log/ipsec ) than the default. For this 
>>>> purpose I added
>>>> 
>>>> plutostderrlog=/var/log/ipsec
>>>> 
>>>> to ipsec.conf. As long as I keep the server in permissive mode,
>>>> openswan starts OK. If, however, I switch to enforcing, the daemon
>>>> refuses to start with the following error message displayed in the
>>>> console:
>>>> 
>>>> ipsec_setup: Starting Openswan IPsec 
>>>> U2.6.32/K3.0.78-1.el6.elrepo.x86_64... ipsec_setup: Cannot write to
>>>> "/var/log/ipsec".
>>>> 
>>>> The audit log does not record anything useful so I tried to switch 
>>>> dontaudit to off and see if anything useful comes out. After running 
>>>> audit2allow and a bit of trial and error I came out with the
>>>> following custom policy :
>>>> 
>>>> module myipsec 1.0;
>>>> 
>>>> require { type ipsec_t;
>>>> 
>>> Sorry, this line is:
>>> 
>>> type ipsec_mgmt_t;
>>> 
>>> 
>>>> type var_log_t; class file { write ioctl getattr append }; }
>>>> 
>>>> #============= ipsec_mgmt_t ==============
>>>> 
>>>> allow ipsec_mgmt_t var_log_t:file write;
>>>> 
>>>> 
>>>> The above policy worked for me but I am wondering if it is OK (I am
>>>> mostly confused by the fact that the class includes " write ioctl 
>>>> getattr append " but the rule has only "write" ). And, assuming it
>>>> is OK can this custom policy ( or the corrected one if needed ) be 
>>>> included in the default policy ?
>>>> 
>>>> TIA
>>>> 
>>>> manuel
>> This particular solution is a bad idea:
> 
> I did have some doubts, hence my question  :)
> 
> 
>> 
>> First lets see what ipsec types are available:
>> 
>>> # seinfo -t | grep ipsec ipsecnat_port_t ipsec_t ipsec_initrc_exec_t 
>>> ipsec_mgmt_t ipsec_log_t ipsecnat_client_packet_t ipsec_var_run_t 
>>> ipsec_key_file_t ipsec_mgmt_var_run_t ipsec_conf_file_t 
>>> ipsecnat_server_packet_t ipsec_exec_t ipsec_mgmt_exec_t 
>>> ipsec_mgmt_lock_t ipsec_spd_t ipsec_tmp_t
>> The policy is (mostly) written with self-documentation in mind, in this 
>> case meaning that the name of the type describes it functionality
>> 
>> As you can see, on my system it lists ipsec_log_t. I assume that this is 
>> a type for ipsec log files.
>> 
>> Now were going to use the sesearch command to see hope ipsec_mgmt_t can 
>> operate on ipsec_log_t files:
>> 
>>> # sesearch --allow -s ipsec_mgmt_t -t ipsec_log_t | grep " ipsec_log_t
>>> " allow ipsec_mgmt_t ipsec_log_t : file { ioctl read write create
>>> getattr setattr lock append unlink link rename open } ; allow
>>> ipsec_mgmt_t ipsec_log_t : dir { ioctl read write getattr lock add_name
>>> remove_name search open } ;
>> So ipsec_mgmt_t is allowed pretty much full access to ipsec_log_t files, 
>> it is also allowed pretty much manage content in ipsec_log_t type 
>> directories.
>> 
>> So the solution is to label your new log location with the ipsec_log_t 
>> type.
>> 
>> But lets look at the stock location of the ipsec log file (s)
>> 
>>> semanage fcontext -l | grep ipsec_log_t /var/log/pluto\.log
>>> regular file system_u:object_r:ipsec_log_t:s0
>> So theres some things to consider here:
>> 
>> Did you create /var/log/ipsec file manually? How are you dealing with log
>> rotation?
>> 
>> But i will make some assumptions (that you have create /var/log/ipsec for
>> ipsec manually)
>> 
>> Likely solution is to:
>> 
>> semanage fcontext -a -t ipsec_log_t "/var/log/ipsec.*" restorecon -v
>> /var/log/ipsec
>> 
>> This solution is much cleaner because this enables you that you do not 
>> have to allow ipsec_mgmt_t to "write" generic log content. [...]
>> 
>> So label you ipsec log file ipsec_log_t like the example above and you 
>> should be set.
> 
> And yes I was set. Thank you a lot. Much cleaner, indeed.
> 
> 
> M.
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

I wrote a quick blog on this.

http://danwalsh.livejournal.com/64142.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGaHxwACgkQrlYvE4MpobNKAQCdFPI4nczUsXhH2eEKiFFJS1qv
g0AAn3P1xV6QtYGsGyTjlYGMRG2Ep5dc
=XH1U
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux