racoon denials
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 18 17:43:15 UTC 2009
On 08/18/2009 05:36 AM, Daniel Fazekas wrote:
> On Aug 18, 2009, at 11:17, Dominick Grift wrote:
>
>> try this rule instead of the domtrans_pattern():
>> can_exec(racoon_t, setkey_exec_t)
>
> Thanks, that did the trick.
> Everything seems to be fine now with enforcing turned fully back on.
>
> Here's for reference the myracoon.te we ended up with, in case it helps
> somebody else too:
>
> policy_module(myracoon, 0.0.4)
> require { type racoon_t, setkey_exec_t; }
>
> auth_read_shadow(racoon_t)
>
> can_exec(racoon_t, setkey_exec_t)
>
> fs_dontaudit_getattr_xattr_fs(racoon_t)
>
> type racoon_tmp_t;
> files_tmp_file(racoon_tmp_t)
> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Ok better then the domtrans, although most of what you showed before were probably leaked file descriptors.
I would really prefer not to use /tmp.
More information about the fedora-selinux-list
mailing list