racoon denials
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 18 17:30:04 UTC 2009
On 08/17/2009 04:59 AM, Daniel Fazekas wrote:
> selinux-policy-3.6.12-72.fc11.noarch
> selinux-policy-targeted-3.6.12-72.fc11.noarch
> ipsec-tools-0.7.2-1.fc11.x86_64
>
> I'm getting a handful of racoon denials with what I believe is a pretty
> common setup — is there anything I could be doing differently?
>
> allow racoon_t shadow_t:file { read getattr open };
>
> This is needed for racoon to do XAuth logins with the default
> auth_source of system. Unfortunately that's the only option available
> with racoon as supplied in Fedora 11, as support for pam/ldap/radius
> isn't built in.
>
>
> The rest is all caused by my having a phase1_up/down script in
> /etc/racoon/scripts (the directory and the script are both
> system_u:object_r:bin_t:s0).
>
> allow racoon_t setkey_exec_t:file { read execute open execute_no_trans };
> allow racoon_t fs_t:filesystem getattr;
> allow racoon_t tmp_t:dir { write remove_name getattr search add_name };
> allow racoon_t tmp_t:file { write getattr read create unlink open };
>
> Calling /sbin/setkey to add and remove SPDs is the primary reason to
> have an up/down script.
> The fs_t and tmp_t accesses are less clear why they are necessary. It's
> a /bin/sh script which isn't doing anything other than calling
> /sbin/setkey.
>
> type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for
> pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name }
> for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043"
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.674:27323): avc: denied { write open }
> for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for
> pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name }
> for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0
> ino=218 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for
> pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for
> pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied { read open }
> for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250495868.676:27327): avc: denied {
> execute_no_trans } for pid=5436 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for
> pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied { read open }
> for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974
> scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.280:27354): avc: denied {
> execute_no_trans } for pid=5533 comm="l2tp_up_down" path="/sbin/setkey"
> dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file
> type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for
> pid=5533 comm="setkey"
> path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429
> dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
I can add a tunable to allow racoon to read shadow, although I would like to see it use pam if a port is available.
I will also add the ability to transition from racoon to setkey_t, but I would prefer if you put your temporary files in /var/racoon or /var/run/pluto or /var/run/racoon.
System Services should NEVER use /tmp for creation of interaction with files. Users live there and users is evil :^)
More information about the fedora-selinux-list
mailing list