racoon denials
Daniel Fazekas
fdsubs at t-online.hu
Wed Aug 19 11:01:20 UTC 2009
On Aug 18, 2009, at 19:30, Daniel J Walsh wrote:
> I can add a tunable to allow racoon to read shadow, although I would
> like to see it use pam if a port is available.
I too would prefer PAM, unfortunately Fedora 11's copy of racoon is
built without --with-libpam.
There already a BZ about it from November 2008:
https://bugzilla.redhat.com/show_bug.cgi?id=470793
> I will also add the ability to transition from racoon to setkey_t,
> but I would prefer if you put your temporary files in /var/racoon
> or /var/run/pluto or /var/run/racoon.
> System Services should NEVER use /tmp for creation of interaction
> with files. Users live there and users is evil :^)
Turns out that was simple enough.
I just added
TMPDIR="/var/racoon"
to the start of the bash shell script, and now bash doesn't try
putting its stuff into /tmp.
What's even better is that this already seems to be allowed by the
current policy.
So the whole extra myracoon module could be simplified as:
---------
policy_module(myracoon, 0.0.5)
require { type racoon_t, setkey_exec_t; }
auth_read_shadow(racoon_t)
can_exec(racoon_t, setkey_exec_t)
fs_dontaudit_getattr_xattr_fs(racoon_t)
---------
Are these reasonable to add to the official policy one day?
More information about the fedora-selinux-list
mailing list