racoon denials
Daniel Fazekas
fdsubs at t-online.hu
Tue Aug 18 17:53:02 UTC 2009
On Aug 18, 2009, at 19:43, Daniel J Walsh wrote:
>> type racoon_tmp_t;
>> files_tmp_file(racoon_tmp_t)
>> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
> Ok better then the domtrans, although most of what you showed before
> were probably leaked file descriptors.
> I would really prefer not to use /tmp.
I still think – though haven't actually tested it – that all those tmp
file accesses are caused by bash's here-doc syntax to provide input
for setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#)
Just like the example script in ipsec-tools, /etc/racoon/scripts/
p1_up_down does it:
setkey -c << EOT
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
esp/tunnel/${REMOTE}-${LOCAL}/require;
EOT
The only other alternative seems to be to put the rules into a
dynamically created temp file, which I could then place anywhere, then
use setkey -f to load it from there.
"setkey takes a series of operations from standard input (if invoked
with -c) or the file named filename (if invoked with -f filename)."
More information about the fedora-selinux-list
mailing list