racoon denials
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 20 00:00:56 UTC 2009
On 08/19/2009 07:01 AM, Daniel Fazekas wrote:
> On Aug 18, 2009, at 19:30, Daniel J Walsh wrote:
>
>> I can add a tunable to allow racoon to read shadow, although I would
>> like to see it use pam if a port is available.
>
> I too would prefer PAM, unfortunately Fedora 11's copy of racoon is
> built without --with-libpam.
> There already a BZ about it from November 2008:
> https://bugzilla.redhat.com/show_bug.cgi?id=470793
>
>> I will also add the ability to transition from racoon to setkey_t, but
>> I would prefer if you put your temporary files in /var/racoon or
>> /var/run/pluto or /var/run/racoon.
>> System Services should NEVER use /tmp for creation of interaction with
>> files. Users live there and users is evil :^)
>
> Turns out that was simple enough.
>
> I just added
> TMPDIR="/var/racoon"
> to the start of the bash shell script, and now bash doesn't try putting
> its stuff into /tmp.
> What's even better is that this already seems to be allowed by the
> current policy.
>
> So the whole extra myracoon module could be simplified as:
>
> ---------
> policy_module(myracoon, 0.0.5)
> require { type racoon_t, setkey_exec_t; }
>
> auth_read_shadow(racoon_t)
> can_exec(racoon_t, setkey_exec_t)
> fs_dontaudit_getattr_xattr_fs(racoon_t)
> ---------
>
> Are these reasonable to add to the official policy one day?
>
Yes
More information about the fedora-selinux-list
mailing list