FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-07-2010, 08:10 AM
Gerard Braad
 
Default SELinux and openswan

I have an issue when running SELinux in targeted mode with openswan on CentOS 5.

On one node it works well, but another node fails with:

/bin/sh: error while loading shared libraries: libtermcap.so.2: cannot
open shared object file: Permission denied

when I try to do a 'service ipsec start'. with 'setenforce 0' the
service starts.

the output that ends up in my dmesg is:

type=1400 audit(1278489551.987:60): avc: denied { search } for
pid=1278 comm="ipsec" name="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=dir

and as permissive:

type=1404 audit(1278489596.565:78): enforcing=0 old_enforcing=1
auid=4294967295 ses=4294967295
type=1400 audit(1278489600.661:79): avc: denied { search } for
pid=1292 comm="ipsec" name="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=dir
type=1400 audit(1278489600.661:80): avc: denied { getattr } for
pid=1292 comm="ipsec" path="/" dev=xvda ino=2
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=dir
type=1400 audit(1278489600.681:81): avc: denied { read } for
pid=1292 comm="addconn" name="libnspr4.so" dev=xvda ino=7696
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=file
type=1400 audit(1278489600.681:82): avc: denied { getattr } for
pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=file
type=1400 audit(1278489600.681:83): avc: denied { execute } for
pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=file
type=1400 audit(1278489600.693:84): avc: denied { read } for
pid=1295 comm="ipsec" name="sh" dev=xvda ino=25126
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=lnk_file
type=1400 audit(1278489600.697:85): avc: denied { execute_no_trans }
for pid=1298 comm="_realsetup" path="/sbin/ip" dev=xvda ino=7805
scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=file
type=1400 audit(1278489600.701:86): avc: denied { create } for
pid=1298 comm="ip" scontext=user_u:system_r:ipsec_mgmt_t:s0
tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket



--
Gerard Braad β€” 吉拉德
Project-lead Fedora-MIPS
http://fedoraproject.org/wiki/User:gbraad
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-07-2010, 08:35 AM
Paul Howarth
 
Default SELinux and openswan

On 07/07/10 09:10, Gerard Braad wrote:
> I have an issue when running SELinux in targeted mode with openswan on CentOS 5.
>
> On one node it works well, but another node fails with:
>
> /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot
> open shared object file: Permission denied
>
> when I try to do a 'service ipsec start'. with 'setenforce 0' the
> service starts.
>
> the output that ends up in my dmesg is:
>
> type=1400 audit(1278489551.987:60): avc: denied { search } for
> pid=1278 comm="ipsec" name="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=dir
>
> and as permissive:
>
> type=1404 audit(1278489596.565:78): enforcing=0 old_enforcing=1
> auid=4294967295 ses=4294967295
> type=1400 audit(1278489600.661:79): avc: denied { search } for
> pid=1292 comm="ipsec" name="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=dir
> type=1400 audit(1278489600.661:80): avc: denied { getattr } for
> pid=1292 comm="ipsec" path="/" dev=xvda ino=2
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=dir
> type=1400 audit(1278489600.681:81): avc: denied { read } for
> pid=1292 comm="addconn" name="libnspr4.so" dev=xvda ino=7696
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.681:82): avc: denied { getattr } for
> pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
> ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.681:83): avc: denied { execute } for
> pid=1292 comm="addconn" path="/usr/lib64/libnspr4.so" dev=xvda
> ino=7696 scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.693:84): avc: denied { read } for
> pid=1295 comm="ipsec" name="sh" dev=xvda ino=25126
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=lnk_file
> type=1400 audit(1278489600.697:85): avc: denied { execute_no_trans }
> for pid=1298 comm="_realsetup" path="/sbin/ip" dev=xvda ino=7805
> scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=system_ubject_r:file_t:s0 tclass=file
> type=1400 audit(1278489600.701:86): avc: denied { create } for
> pid=1298 comm="ip" scontext=user_u:system_r:ipsec_mgmt_t:s0
> tcontext=user_u:system_r:ipsec_mgmt_t:s0 tclass=netlink_route_socket

The target contexts in most of these denials are file_t, indicating a
labelling problem. Has the system been run with SELinux in disabled mode
for some time? I'd suggest relabelling and trying again.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-07-2010, 09:53 AM
Paul Howarth
 
Default SELinux and openswan

On 07/07/10 09:55, Gerard Braad wrote:
> On Wed, Jul 7, 2010 at 4:35 PM, Paul Howarth<paul@city-fan.org> wrote:
>> The target contexts in most of these denials are file_t, indicating a
>> labelling problem. Has the system been run with SELinux in disabled mode
>> for some time? I'd suggest relabelling and trying again.
>>
>> Paul.
>
> After doing a rpm -qa I noted selinux-policy wasn't installed, but
> selinux-policy-targted was. Should there be a dependency between these
> two? after doing an autorelabel all seems to work properly. :-s

There is such a dependency on F-13 at least:

$ rpm -q --requires selinux-policy-targeted
/bin/sh
/bin/sh
/bin/sh
config(selinux-policy-targeted) = 3.7.19-33.fc13
coreutils
policycoreutils >= 2.0.78-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(VersionedDependencies) <= 3.0.3-1
selinux-policy = 3.7.19-33.fc13
selinux-policy = 3.7.19-33.fc13
rpmlib(PayloadIsXz) <= 5.2-1

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org