racoon denials
Dominick Grift
domg472 at gmail.com
Mon Aug 17 14:10:37 UTC 2009
On Mon, Aug 17, 2009 at 10:59:59AM +0200, Daniel Fazekas wrote:
> selinux-policy-3.6.12-72.fc11.noarch
> selinux-policy-targeted-3.6.12-72.fc11.noarch
> ipsec-tools-0.7.2-1.fc11.x86_64
>
> I'm getting a handful of racoon denials with what I believe is a pretty
> common setup — is there anything I could be doing differently?
>
> allow racoon_t shadow_t:file { read getattr open };
Well i can give you some direction into how to allow this stuff but i am not confident as to wheter its the right this to do and i also have not tested any of it.
but in theory:
echo "policy_module(myracoon, 0.0.1)" > myracoon.te;
echo "require { type racoon_t; }" >> myracoon.te;
echo "auth_read_shadow(racoon_t)" >> myracoon.te;
>
> This is needed for racoon to do XAuth logins with the default
> auth_source of system. Unfortunately that's the only option available
> with racoon as supplied in Fedora 11, as support for pam/ldap/radius
> isn't built in.
>
>
> The rest is all caused by my having a phase1_up/down script in /etc/
> racoon/scripts (the directory and the script are both
> system_u:object_r:bin_t:s0).
>
> allow racoon_t setkey_exec_t:file { read execute open execute_no_trans };
> allow racoon_t fs_t:filesystem getattr;
> allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
> allow racoon_t tmp_t:file { write getattr read create unlink open };
echo "setkey_domtrans(racoon_t)" >> myracoon.te;
echo "fs_dontaudit_getattr_xattr_fs(racoon_t)" >> myracoon.te;
echo "type racoon_tmp_t;" >> myracoon.te;
echo "files_tmp_file(racoon_tmp_t)" >> myracoon.te;
echo "manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te;
echo "manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te;
echo "files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })" >> myracoon.te;
make -f /usr/share/selinux/devel/Makefile myracoon.pp
sudo semodule -i myracoon.pp
This is just the rules translated into policy. I am not positive whether racoon or setkey creates the object in tmp, read shadow, and get attributes of fs_t:filesystem.
This policy assumes racoon_t does all that.
>
> Calling /sbin/setkey to add and remove SPDs is the primary reason to
> have an up/down script.
> The fs_t and tmp_t accesses are less clear why they are necessary. It's a
> /bin/sh script which isn't doing anything other than calling /
> sbin/setkey.
>
> type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.674:27323): avc: denied { write open }
> for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name }
> for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for
> pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied { read open }
> for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied {
> execute_no_trans } for pid=5436 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for
> pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied { read open }
> for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied {
> execute_no_trans } for pid=5533 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for
> pid=5533 comm="setkey"
> path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429
> dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090817/3a90d1ff/attachment.sig>
More information about the fedora-selinux-list
mailing list