racoon denials

[Tomas Mraz]

On Wed, 2009-08-19 at 13:01 +0200, Daniel Fazekas wrote:
> On Aug 18, 2009, at 19:30, Daniel J Walsh wrote:
> 
> > I can add a tunable to allow racoon to read shadow, although I would  
> > like to see it use pam if a port is available.
> 
> I too would prefer PAM, unfortunately Fedora 11's copy of racoon is  
> built without --with-libpam.
> There already a BZ about it from November 2008:
> https://bugzilla.redhat.com/show_bug.cgi?id=470793
> 
> > I will also add the ability to transition from racoon to setkey_t,  
> > but I would prefer if you put your temporary files in /var/racoon  
> > or /var/run/pluto or /var/run/racoon.
> > System Services should NEVER use /tmp for creation of interaction  
> > with files.  Users live there and users is evil :^)
> 
> Turns out that was simple enough.
> 
> I just added
> TMPDIR="/var/racoon"
> to the start of the bash shell script, and now bash doesn't try  
> putting its stuff into /tmp.
> What's even better is that this already seems to be allowed by the  
> current policy.

I've added the TMPDIR setting to the ipsec-tools-0.7.3-2.fc12 package -
you can get it from koji or from rawhide mirrors later.

> So the whole extra myracoon module could be simplified as:
> 
> ---------
> policy_module(myracoon, 0.0.5)
> require { type racoon_t, setkey_exec_t; }
> 
> auth_read_shadow(racoon_t)
> can_exec(racoon_t, setkey_exec_t)
> fs_dontaudit_getattr_xattr_fs(racoon_t)
> ---------
> 
> Are these reasonable to add to the official policy one day?

I've also added --with-libpam to the build and added some initial racoon
PAM configuration. Can you please test xauth against pam instead of
shadow? I still suppose some selinux-policy adjustments will be
necessary.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb