Re: racoon got dead due to permission lacking

Stephen Smalley <sds@xxxxxxxxxxxxx> · Fri, 25 Jan 2008 14:17:10 -0500

On Fri, 2008-01-25 at 14:24 +0900, Kohei KaiGai wrote:
> When I tested labeled ipsec, racoon got dead with the following messages:
> (I added some line break for reader's confortable)
> 
> | type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
> |   for  pid=26854 comm="racoon" name="net" dev=proc ino=4026531867
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:proc_t:s0 tclass=dir

That one is a kernel bug (in 2.6.24).  Should have a fix soon - patch is
being reviewed.

> | type=AVC msg=audit(1201052881.758:784): avc:  denied  { read }
> |   for  pid=26854 comm="racoon" name="unix" dev=proc ino=4026532018
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:proc_t:s0 tclass=file
> | type=AVC msg=audit(1201052881.758:785): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=127.0.0.1 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:786): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=10.19.71.81 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:787): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:compat_ipv4_node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:788): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=fe80:0000:0000:0000:0211:09ff:fe34:68e0 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:link_local_node_t:s0 tclass=udp_socket
> 
> selinux-policy-3.2.5-15.fc9 and ipsec-tools-0.7-8.fc9 are installed.
> It seems to me that racoon tries to read /proc/net/unix, and bind adresses
> on udp socket.
> 
> The attached patch grant those permissions, and it killed this matter.
> Please apply it.
> 
> Thanks,
-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.