racoon denials

Daniel Fazekas fdsubs at t-online.hu
Mon Aug 17 08:59:59 UTC 2009 

selinux-policy-3.6.12-72.fc11.noarch
selinux-policy-targeted-3.6.12-72.fc11.noarch
ipsec-tools-0.7.2-1.fc11.x86_64

I'm getting a handful of racoon denials with what I believe is a  
pretty common setup — is there anything I could be doing differently?

allow racoon_t shadow_t:file { read getattr open };

This is needed for racoon to do XAuth logins with the default  
auth_source of system. Unfortunately that's the only option available  
with racoon as supplied in Fedora 11, as support for pam/ldap/radius  
isn't built in.


The rest is all caused by my having a phase1_up/down script in /etc/ 
racoon/scripts (the directory and the script are both  
system_u:object_r:bin_t:s0).

allow racoon_t setkey_exec_t:file { read execute open  
execute_no_trans };
allow racoon_t fs_t:filesystem getattr;
allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
allow racoon_t tmp_t:file { write getattr read create unlink open };

Calling /sbin/setkey to add and remove SPDs is the primary reason to  
have an up/down script.
The fs_t and tmp_t accesses are less clear why they are necessary.  
It's a /bin/sh script which isn't doing anything other than calling / 
sbin/setkey.

type=AVC msg=audit(1250495868.674:27320): avc:  denied  { getattr }  
for  pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27321): avc:  denied  { write } for   
pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27322): avc:  denied  { getattr }  
for  pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1250495868.674:27323): avc:  denied  { search }  
for  pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27323): avc:  denied  { add_name }  
for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.674:27323): avc:  denied  { create }  
for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.674:27323): avc:  denied  { write open }  
for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0  
ino=218 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.675:27324): avc:  denied  { getattr }  
for  pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043"  
dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27325): avc:  denied  { read } for   
pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27326): avc:  denied   
{ remove_name } for  pid=5436 comm="l2tp_up_down" name="sh- 
thd-1250518043" dev=dm-0 ino=218  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1250495868.676:27326): avc:  denied  { unlink }  
for  pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0  
ino=218 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc:  denied  { execute }  
for  pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc:  denied  { read open }  
for  pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250495868.676:27327): avc:  denied   
{ execute_no_trans } for  pid=5436 comm="l2tp_up_down" path="/sbin/ 
setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc:  denied  { execute }  
for  pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc:  denied  { read open }  
for  pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974  
scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.280:27354): avc:  denied   
{ execute_no_trans } for  pid=5533 comm="l2tp_up_down" path="/sbin/ 
setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
type=AVC msg=audit(1250496231.293:27359): avc:  denied  { read } for   
pid=5533 comm="setkey"  
path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429  
dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0  
tcontext=system_u:object_r:tmp_t:s0 tclass=file

More information about the fedora-selinux-list mailing list