[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: racoon denials



On Aug 17, 2009, at 18:09, Dominick Grift wrote:

So that means there is no such shared policy. we can can work around that by adding the following to the myracoon.te:
echo "require { type setkey_exec_t, setkey_t; }" >> myracoon.te;
echo "domtrans_pattern(racoon_t, setkey_exec_t, setkey_t)" >> myracoon.te;

assuming setkey_t is the domain type

That did compile, but now there's a whole new set of setkey_t denials.

allow setkey_t racoon_t:key_socket { read write };
allow setkey_t racoon_t:netlink_route_socket { read write };
allow setkey_t racoon_t:udp_socket { read write };
allow setkey_t racoon_t:unix_stream_socket { read write };
allow setkey_t racoon_tmp_t:file { read getattr };

I now had to make setkey_t permissive. Previously it only required doing that for racoon_t.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]