racoon denials
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 19 23:42:31 UTC 2009
On 08/18/2009 01:53 PM, Daniel Fazekas wrote:
> On Aug 18, 2009, at 19:43, Daniel J Walsh wrote:
>
>>> type racoon_tmp_t;
>>> files_tmp_file(racoon_tmp_t)
>>> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>>> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
>>> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
>> Ok better then the domtrans, although most of what you showed before
>> were probably leaked file descriptors.
>> I would really prefer not to use /tmp.
>
> I still think – though haven't actually tested it – that all those tmp
> file accesses are caused by bash's here-doc syntax to provide input for
> setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#)
>
> Just like the example script in ipsec-tools,
> /etc/racoon/scripts/p1_up_down does it:
>
> setkey -c << EOT
> spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
> esp/tunnel/${LOCAL}-${REMOTE}/require;
> spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
> esp/tunnel/${REMOTE}-${LOCAL}/require;
> EOT
>
> The only other alternative seems to be to put the rules into a
> dynamically created temp file, which I could then place anywhere, then
> use setkey -f to load it from there.
>
> "setkey takes a series of operations from standard input (if invoked
> with -c) or the file named filename (if invoked with -f filename)."
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes that looks correct. So I will add the rules to rawhide.
Miroslav can you grab the ipsec,te from rawhide and put it in F11.
More information about the fedora-selinux-list
mailing list