[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: openswan start denied by selinux if a custom log file is used
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2013-05-20 13:03:24
Message-ID: 519A1F1C.6030408 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/20/2013 07:03 AM, Manuel Wolfshant wrote:
> On 05/20/2013 01:45 PM, Dominick Grift wrote:
>> On Mon, 2013-05-20 at 12:36 +0300, Manuel Wolfshant wrote:
>>> On 05/20/2013 12:31 PM, Manuel Wolfshant wrote:
>>>> Hello
>>>>
>>>> I am using CentOS 6.4 and I want to store the logs from openswan into
>>>> a different file ( /var/log/ipsec ) than the default. For this
>>>> purpose I added
>>>>
>>>> plutostderrlog=/var/log/ipsec
>>>>
>>>> to ipsec.conf. As long as I keep the server in permissive mode,
>>>> openswan starts OK. If, however, I switch to enforcing, the daemon
>>>> refuses to start with the following error message displayed in the
>>>> console:
>>>>
>>>> ipsec_setup: Starting Openswan IPsec
>>>> U2.6.32/K3.0.78-1.el6.elrepo.x86_64... ipsec_setup: Cannot write to
>>>> "/var/log/ipsec".
>>>>
>>>> The audit log does not record anything useful so I tried to switch
>>>> dontaudit to off and see if anything useful comes out. After running
>>>> audit2allow and a bit of trial and error I came out with the
>>>> following custom policy :
>>>>
>>>> module myipsec 1.0;
>>>>
>>>> require { type ipsec_t;
>>>>
>>> Sorry, this line is:
>>>
>>> type ipsec_mgmt_t;
>>>
>>>
>>>> type var_log_t; class file { write ioctl getattr append }; }
>>>>
>>>> #============= ipsec_mgmt_t ==============
>>>>
>>>> allow ipsec_mgmt_t var_log_t:file write;
>>>>
>>>>
>>>> The above policy worked for me but I am wondering if it is OK (I am
>>>> mostly confused by the fact that the class includes " write ioctl
>>>> getattr append " but the rule has only "write" ). And, assuming it
>>>> is OK can this custom policy ( or the corrected one if needed ) be
>>>> included in the default policy ?
>>>>
>>>> TIA
>>>>
>>>> manuel
>> This particular solution is a bad idea:
>
> I did have some doubts, hence my question :)
>
>
>>
>> First lets see what ipsec types are available:
>>
>>> # seinfo -t | grep ipsec ipsecnat_port_t ipsec_t ipsec_initrc_exec_t
>>> ipsec_mgmt_t ipsec_log_t ipsecnat_client_packet_t ipsec_var_run_t
>>> ipsec_key_file_t ipsec_mgmt_var_run_t ipsec_conf_file_t
>>> ipsecnat_server_packet_t ipsec_exec_t ipsec_mgmt_exec_t
>>> ipsec_mgmt_lock_t ipsec_spd_t ipsec_tmp_t
>> The policy is (mostly) written with self-documentation in mind, in this
>> case meaning that the name of the type describes it functionality
>>
>> As you can see, on my system it lists ipsec_log_t. I assume that this is
>> a type for ipsec log files.
>>
>> Now were going to use the sesearch command to see hope ipsec_mgmt_t can
>> operate on ipsec_log_t files:
>>
>>> # sesearch --allow -s ipsec_mgmt_t -t ipsec_log_t | grep " ipsec_log_t
>>> " allow ipsec_mgmt_t ipsec_log_t : file { ioctl read write create
>>> getattr setattr lock append unlink link rename open } ; allow
>>> ipsec_mgmt_t ipsec_log_t : dir { ioctl read write getattr lock add_name
>>> remove_name search open } ;
>> So ipsec_mgmt_t is allowed pretty much full access to ipsec_log_t files,
>> it is also allowed pretty much manage content in ipsec_log_t type
>> directories.
>>
>> So the solution is to label your new log location with the ipsec_log_t
>> type.
>>
>> But lets look at the stock location of the ipsec log file (s)
>>
>>> semanage fcontext -l | grep ipsec_log_t /var/log/pluto\.log
>>> regular file system_u:object_r:ipsec_log_t:s0
>> So theres some things to consider here:
>>
>> Did you create /var/log/ipsec file manually? How are you dealing with log
>> rotation?
>>
>> But i will make some assumptions (that you have create /var/log/ipsec for
>> ipsec manually)
>>
>> Likely solution is to:
>>
>> semanage fcontext -a -t ipsec_log_t "/var/log/ipsec.*" restorecon -v
>> /var/log/ipsec
>>
>> This solution is much cleaner because this enables you that you do not
>> have to allow ipsec_mgmt_t to "write" generic log content. [...]
>>
>> So label you ipsec log file ipsec_log_t like the example above and you
>> should be set.
>
> And yes I was set. Thank you a lot. Much cleaner, indeed.
>
>
> M.
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I wrote a quick blog on this.
http://danwalsh.livejournal.com/64142.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGaHxwACgkQrlYvE4MpobNKAQCdFPI4nczUsXhH2eEKiFFJS1qv
g0AAn3P1xV6QtYGsGyTjlYGMRG2Ep5dc
=XH1U
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic