racoon denials

Dominick Grift domg472 at gmail.com
Mon Aug 17 14:10:37 UTC 2009 

On Mon, Aug 17, 2009 at 10:59:59AM +0200, Daniel Fazekas wrote:
> selinux-policy-3.6.12-72.fc11.noarch
> selinux-policy-targeted-3.6.12-72.fc11.noarch
> ipsec-tools-0.7.2-1.fc11.x86_64
>
> I'm getting a handful of racoon denials with what I believe is a pretty 
> common setup — is there anything I could be doing differently?
>
> allow racoon_t shadow_t:file { read getattr open };

Well i can give you some direction into how to allow this stuff but i am not confident as to wheter its the right this to do and i also have not tested any of it.

but in theory:

echo "policy_module(myracoon, 0.0.1)" > myracoon.te;
echo "require { type racoon_t; }" >> myracoon.te;
echo "auth_read_shadow(racoon_t)" >> myracoon.te;

>
> This is needed for racoon to do XAuth logins with the default  
> auth_source of system. Unfortunately that's the only option available  
> with racoon as supplied in Fedora 11, as support for pam/ldap/radius  
> isn't built in.
>
>
> The rest is all caused by my having a phase1_up/down script in /etc/ 
> racoon/scripts (the directory and the script are both  
> system_u:object_r:bin_t:s0).
>
> allow racoon_t setkey_exec_t:file { read execute open execute_no_trans };
> allow racoon_t fs_t:filesystem getattr;
> allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
> allow racoon_t tmp_t:file { write getattr read create unlink open };

echo "setkey_domtrans(racoon_t)" >> myracoon.te;
echo "fs_dontaudit_getattr_xattr_fs(racoon_t)" >> myracoon.te;
echo "type racoon_tmp_t;" >> myracoon.te;
echo "files_tmp_file(racoon_tmp_t)" >> myracoon.te;
echo "manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te;
echo "manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te;
echo "files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })" >> myracoon.te;

make -f /usr/share/selinux/devel/Makefile myracoon.pp
sudo semodule -i myracoon.pp

This is just the rules translated into policy. I am not positive whether racoon or setkey creates the object in tmp, read shadow, and get attributes of fs_t:filesystem.

This policy assumes racoon_t does all that.

>
> Calling /sbin/setkey to add and remove SPDs is the primary reason to  
> have an up/down script.
> The fs_t and tmp_t accesses are less clear why they are necessary. It's a 
> /bin/sh script which isn't doing anything other than calling / 
> sbin/setkey.
>
> type=AVC msg=audit(1250495868.674:27320): avc:  denied  { getattr } for  
> pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27321): avc:  denied  { write } for   
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27322): avc:  denied  { getattr } for  
> pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { search } for  
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { add_name } for  
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { create } for  
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.674:27323): avc:  denied  { write open }  
> for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0  
> ino=218 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.675:27324): avc:  denied  { getattr } for  
> pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0 
> ino=218 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27325): avc:  denied  { read } for   
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27326): avc:  denied  { remove_name } 
> for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 
> ino=218 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.676:27326): avc:  denied  { unlink } for  
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  { execute } for  
> pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  { read open }  
> for  pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc:  denied  { 
> execute_no_trans } for  pid=5436 comm="l2tp_up_down" path="/sbin/setkey" 
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  { execute } for  
> pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  { read open }  
> for  pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
> scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc:  denied  { 
> execute_no_trans } for  pid=5533 comm="l2tp_up_down" path="/sbin/setkey" 
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.293:27359): avc:  denied  { read } for   
> pid=5533 comm="setkey"  
> path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429  
> dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0  
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090817/3a90d1ff/attachment.sig>

More information about the fedora-selinux-list mailing list