racoon got dead due to permission lacking

Kohei KaiGai <kaigai@xxxxxxxxxxxxx> · Fri, 25 Jan 2008 14:24:38 +0900

When I tested labeled ipsec, racoon got dead with the following messages:
(I added some line break for reader's confortable)

| type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
|   for  pid=26854 comm="racoon" name="net" dev=proc ino=4026531867
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:proc_t:s0 tclass=dir
| type=AVC msg=audit(1201052881.758:784): avc:  denied  { read }
|   for  pid=26854 comm="racoon" name="unix" dev=proc ino=4026532018
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:proc_t:s0 tclass=file
| type=AVC msg=audit(1201052881.758:785): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=127.0.0.1 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:786): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=10.19.71.81 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:787): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:compat_ipv4_node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:788): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=fe80:0000:0000:0000:0211:09ff:fe34:68e0 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:link_local_node_t:s0 tclass=udp_socket

selinux-policy-3.2.5-15.fc9 and ipsec-tools-0.7-8.fc9 are installed.
It seems to me that racoon tries to read /proc/net/unix, and bind adresses
on udp socket.

The attached patch grant those permissions, and it killed this matter.
Please apply it.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>

--- serefpolicy-3.2.5/policy/modules/system/ipsec.te	2007-12-19 19:37:28.000000000 +0900
+++ serefpolicy-3.2.5.fixed/policy/modules/system/ipsec.te	2008-01-25 11:57:06.000000000 +0900
@@ -301,8 +301,12 @@
 
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
 
+# /proc/net/...
+read_files_pattern(racoon_t,proc_t,proc_t)
+
 dev_read_urand(racoon_t)
 
 # allow racoon to set contexts on ipsec policy and SAs




