[redhat-lspp] new ipsec-tools package

[Paul Moore]

On Wednesday, April 11 2007 4:08:51 pm Joe Nall wrote:
> I'm not having any luck with this package:
>
> /var/log/message
>
> Apr 11 14:56:39 fc6work racoon: ERROR: no configuration found for
> 127.0.0.1.
> Apr 11 14:56:39 fc6work racoon: ERROR: failed to begin ipsec sa
> negotication.
> Apr 11 14:57:09 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:09 fc6work racoon: INFO: security context length: 44
> Apr 11 14:57:09 fc6work racoon: INFO: security context:
> system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023
> Apr 11 14:57:09 fc6work racoon: ERROR: no configuration found for
> 127.0.0.1.
> Apr 11 14:57:09 fc6work racoon: ERROR: failed to begin ipsec sa
> negotication.
> Apr 11 14:57:39 fc6work racoon: INFO: security context doi: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context algorithm: 1
> Apr 11 14:57:39 fc6work racoon: INFO: security context length: 43
>
> {snip}
>
> /var/log/audit/audit.log has lots of polmatch avcs
>
> type=AVC msg=audit(1176302177.663:28): avc:  denied  { polmatch }
> for  pid=2129 comm="cupsd"
> scontext=system_u:system_r:cupsd_t:s15:c0.c1023
> tcontext=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
> tclass=association
> type=AVC msg=audit(1176302177.663:28): avc:  denied  { sendto } for
> pid=2129 comm="cupsd" scontext=system_u:system_r:cupsd_t:s15:c0.c1023
> tcontext=system_u:system_r:cupsd_t:s15:c0.c1023 tclass=association
> type=SYSCALL msg=audit(1176302177.663:28): arch=40000003 syscall=102
> success=no exit=-3 a0=3 a1=bfe48050 a2=2baff4 a3=2 items=0 ppid=2128
> pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
> subj=system_u:system_r:cupsd_t:s15:c0.c1023 key=(null)
>

Do you see any polmatch denials with with a scontext value 
of "system_u:system_r:jcdx_ep_t:s0-s15:c0.c1023"?  The AVC denials above are 
all for CUPS ...

-- 
paul moore
linux security @ hp