On Thu, 2008-09-11 at 14:47 -0700, Justin Mattock wrote:
> when starting ipsec, there is a daemon
> or I can run /usr/sbin/setkey. at the moment I've disabled
> setkey daemon at boot up, and am using the manual
> approach. when issuing setkey -f /etc/ipsec-tools.conf
> the file does go into the SDP entry without any issues,
> but also leaves avc's in dmesg. (below);
>
> [ 157.919674] type=1415 audit(1221168887.813:5): op=SAD-add
> auid=4294967295 ses=4294967295 subj=a-12:sysadm_r:sysadm_t
> src=10.0.0.8 dst=10.0.0.5 spi=512(0x200) res=1
> [ 157.919714] type=1300 audit(1221168887.813:5): arch=40000003
> syscall=102 success=yes exit=120 a0=9 a1=bfee55b0 a2=805a6d0 a3=20
> items=0 ppid=3830 pid=3916 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setkey"
> exe="/usr/sbin/setkey" subj=a-12:sysadm_r:sysadm_t key=(null)
...
> When using audit2allow -d
> there is a message of: No AVC's found.
> Anyways not sure if this is good or bad...
> thaught it would be better to post than to not at all.
> Besides that ipsec seems to be running nicely, with the policy
> in enforcing mode.
> regards;
The messages are not AVCs so audit2allow does not have any work to do.
The messages are in the audit.log/dmesg just for auditing purposes and
are not related to SELinux.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
